- From: Roy T. Fielding <fielding@kiwi.ics.uci.edu>
- Date: Sat, 15 Nov 1997 13:38:42 -0800
- To: Yaron Goland <yarong@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, "Jim Gettys (E-mail)" <jg@w3.org>, "Larry Masinter (E-mail)" <masinter@parc.xerox.com>, "Henry Sanders (Exchange)" <henrysa@exchange.microsoft.com>, Paul Leach <paulle@microsoft.com>
>Scenario: A server has generated a personalized response for a user that is >not suitable for caching by proxies. However the server does want the >client's cache to cache it so that it will be available for off-line. The >catch is, the user is running on windows 95 which uses a single cache for >everyone who access the computer. > >Solution 1: The server places a cache-control: private header on the >response. Thus the proxy will not cache the response. The windows 95 machine >is smart enough to see the cache-control: private header and to store it in >the shared cache tagged with the user's name. Thus if another user logs into >the machine, that user WILL NOT be served up that particular cached page >because the name associated with the entry doesn't match. However, the new >user could go to the cache directory and sniff through it to get the actual >file. Yep. Be sure to include the Expires trick as well to prevent a good HTTP/1.0 cache from caching it. >Solution 2: The server could place a set-cookie on the response, thus >causing the proxy to not cache it, but the client side cache is smart enough >to cache such a response but tag it with the user's name. I think you will find that an HTTP/1.0 proxy will cache it. >So the question becomes, does solution 1 violate the intent of >cache-control: private? There is protection from inadvertently coming across >another user's page and the level of security is the same as the level of >security for all materials on the machine but there isn't ACL control. Solution 1 is the intent of private. The private directive means okay-if-it-is-not-used-by-some-other-user. It doesn't mean privacy or secure, since that is already lost in a non-secure transmission. ....Roy
Received on Saturday, 15 November 1997 13:57:22 UTC