Re: ISSUE: revalidation from Jeffrey Mogul on 1998-07-14 (ietf-http-wg@w3.org from July to September 1998)

From: Jeffrey Mogul <mogul@pa.dec.com>
Date: Tue, 14 Jul 98 10:58:11 MDT
To: Richard Gray <rlgray@us.ibm.com>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <9807141758.AA02091@acetes.pa.dec.com>

Richard Gray <rlgray@us.ibm.com> writes:
    Having read both
    http://www.ics.uci.edu/pub/ietf/http/draft-mogul-http-revalidate-01.txt,
    and the diff version of rev-03, I am now confused about the
    Cache-control revalidation directives, and their intended
    interaction with the Authorization mechanism.

I have no opinions about Authorization, so you'll have to wait
for someone else to discuss the "intended interaction".  But
regarding the basic revalidation mechanism:

    14.9.4 seems to say that must-revalidate is not unconditional, but
    rather that it only requires revalidation if the object is stale.
    It further seems to say that proxy-revalidate can be used to
    require shared proxies to authenticate each user.

The difference between must-revalidate and proxy-revalidate is
that the former applies to all caches, but the latter does not
apply to non-shared caches (e.g., browser caches).  If you are
willing to assume that a given browser cache is uniquely associated
with a specific user, then you could use proxy-revalidate instead
of must-revalidate (if your goal is to force re-authentication.)

    So, an origin server should send both "proxy-revalidate" and
    "public" to force revalidation?  If so, I think at the very least
    this should be added to the list in 14.8, and that proxies ought to
    be required to revalidate in this case.  If not, I need educating.
    
The intended way to force revalidation (by shared caches) is to use

	Cache-control: s-maxage=0, proxy-revalidate

I.e., tell the shared caches that the response is immediately
stale, and that shared caches are not allowed to ignore this.
*HOWEVER*, since this is rather verbose, and since the "s-maxage"
directive was added specifically to support this case, the
spec says "s-maxage directive also implies ... proxy-revalidate",
so you really only need to send

	Cache-control: s-maxage=0

to force a shared cache to revalidate on every access.  It's
a no-op for private caches.

Bottom line: I don't think this is an issue, except perhaps
for "the specification is complicated and someone should
write a tutorial".

-Jeff

Received on Wednesday, 15 July 1998 14:11:02 UTC