Issues-list item "CACHING-CGI" from http-wg@cuckoo.hpl.hp.com on 1997-04-16 (ietf-http-wg@w3.org from April to June 1997)

From: <http-wg@cuckoo.hpl.hp.com>
Date: Wed, 16 Apr 1997 11:51:19 +0100
To: http-wg@cuckoo.hpl.hp.com
Message-Id: <8525647B.000F5734.00@mta2.lotus.com>

According to my notes from the Memphis meeting, I agreed to draft
a clarification for the spec, in response to this item.  The
reference from the Issues List is to a message I wrote in December:

    http://www.ics.uci.edu/pub/ietf/http/hypermail/1996q4/0363.html

The question here is "when should a cache store and reuse a response
from a CGI script?".

I'm not sure that the HTTP/1.1 specification needs to say much more
about this ... but since it apparently was not sufficiently clear
to at least some readers, I'll propose an editorial change.

Currently, in section 13.9 (Side Effects of GET and HEAD) reads,
in its entirety:

   Unless the origin server explicitly prohibits the caching of their
   responses, the application of GET and HEAD methods to any resources
   SHOULD NOT have side effects that would lead to erroneous behavior if
   these responses are taken from a cache. They may still have side
   effects, but a cache is not required to consider such side effects in
   its caching decisions. Caches are always expected to observe an
   origin server's explicit restrictions on caching.

   We note one exception to this rule: since some applications have
   traditionally used GETs and HEADs with query URLs (those containing a
   "?" in the rel_path part) to perform operations with significant side
   effects, caches MUST NOT treat responses to such URLs as fresh unless
   the server provides an explicit expiration time. This specifically
   means that responses from HTTP/1.0 servers for such URIs should not
   be taken from a cache. See section 9.1.1 for related information.

[9.1.1 defines "safe methods".]

I propose adding this to the end of section 13.9:

 Note that some HTTP/1.0 cache operators have found that it is
 dangerous to cache responses to requests for URLs including the
 string "cgi-bin".  HTTP/1.1 caches should follow this practice
 for responses that do not include an explicit expiration time.
 HTTP/1.1 origin servers that want to allow caching of responses
 for URLs including "?" or "cgi-bin" SHOULD include an explicit
 expiration time.  Explicit expiration times may be specified
 using Expires, or the max-age directive of Cache-Control, or
 both.

-Jeff

P.S.: I base the first sentence in the note on the sample configuration
file distributed with a recent version of the Squid cache software.
If this is actually contrary to normal practice, someone should say so.

Received on Wednesday, 16 April 1997 04:06:54 UTC