Re: Cache-control: private and off-line

>Scenario: A server has generated a personalized response for a user that is
>not suitable for caching by proxies. However the server does want the
>client's cache to cache it so that it will be available for off-line. The
>catch is, the user is running on windows 95 which uses a single cache for
>everyone who access the computer.
>
>Solution 1: The server places a cache-control: private header on the
>response. Thus the proxy will not cache the response. The windows 95 machine
>is smart enough to see the cache-control: private header and to store it in
>the shared cache tagged with the user's name. Thus if another user logs into
>the machine, that user WILL NOT be served up that particular cached page
>because the name associated with the entry doesn't match. However, the new
>user could go to the cache directory and sniff through it to get the actual
>file.

Yep.  Be sure to include the Expires trick as well to prevent a good
HTTP/1.0 cache from caching it.

>Solution 2: The server could place a set-cookie on the response, thus
>causing the proxy to not cache it, but the client side cache is smart enough
>to cache such a response but tag it with the user's name.

I think you will find that an HTTP/1.0 proxy will cache it.

>So the question becomes, does solution 1 violate the intent of
>cache-control: private? There is protection from inadvertently coming across
>another user's page and the level of security is the same as the level of
>security for all materials on the machine but there isn't ACL control.

Solution 1 is the intent of private.  The private directive means
okay-if-it-is-not-used-by-some-other-user.  It doesn't mean privacy or
secure, since that is already lost in a non-secure transmission.

....Roy

Received on Saturday, 15 November 1997 13:57:22 UTC