- From: Jamie Lokier <jamie@shareable.org>
- Date: Wed, 3 Jun 2009 18:55:36 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Mark Nottingham wrote: > In theory, set-cookie can be stored by a shared cache, assuming the > response is otherwise cacheable; it doesn't have any special status in > this regard. Likewise, the cookie request header doesn't affect > requests unless Vary says so. > > In practice, some (but not all) shared caches will treat requests or > responses with cookies differently (although it's less prevalent on > cookies, since so many sites tend to spray them everywhere...). It would be quite messy, if a server sent a page with Set-Cookie, then later another page with a _later_ Set-Cookie which replaces the earlier cookie, then a long time later the cache serves the _original_ Set-Cookie with a cookie which has long ago expired, causing the later cookie to be lost. On the other hand, using request's Cookie for caching seems reasonable to me, if the server does not consider the response private to just one client. Even though a cookie value is (usually) tied to a single client, a _response_ might be the same for many different client cookie values, but still restricted to a subset of client cookie values. For example, it may be the server has the same response for all people in a certain group, each with different cookies, and a different response for all people in another group, also each with different cookies. If a server requires a response to be private to just one client, it can use "Cache-Control: private". -- Jamie
Received on Wednesday, 3 June 2009 17:56:17 UTC