Re: "Cache-control: no-cache", "Cache-control: private", and , extensibility

Shel Kaphan writes:
 > You don't have to stretch too far.  If you write a server application
 > where a user who does not already have a cookie for that server is
 > given a new cookie when they go to the home page on that server, then
 > this situation applies.  You set the home page up as cachable but
 > stale so that it doesn't have to be re-fetched each time, just
 > revalidated, and along with the 304 response, the server sends a
 > set-cookie header particular to that new user.  (It might have a user
 > account number in it, for instance).
 > 
 > --Shel


Sorry.  If the user already has a cookie and it is sent with the
request for the home page, the application doesn't need to send a
set-cookie with its response.  You definitely don't want someone
else's cookie from the cache.  

It's just safer not to put them into caches in the first place.

Received on Tuesday, 20 February 1996 16:59:44 UTC