Re: Vary: Cookie

Mark Nottingham wrote:
> In theory, set-cookie can be stored by a shared cache, assuming the  
> response is otherwise cacheable; it doesn't have any special status in  
> this regard. Likewise, the cookie request header doesn't affect  
> requests unless Vary says so.
> 
> In practice, some (but not all) shared caches will treat requests or  
> responses with cookies differently (although it's less prevalent on  
> cookies, since so many sites  tend to spray them everywhere...).

It would be quite messy, if a server sent a page with Set-Cookie, then
later another page with a _later_ Set-Cookie which replaces the
earlier cookie, then a long time later the cache serves the _original_
Set-Cookie with a cookie which has long ago expired, causing the later
cookie to be lost.

On the other hand, using request's Cookie for caching seems reasonable
to me, if the server does not consider the response private to just
one client.

Even though a cookie value is (usually) tied to a single client, a
_response_ might be the same for many different client cookie values,
but still restricted to a subset of client cookie values.

For example, it may be the server has the same response for all people
in a certain group, each with different cookies, and a different
response for all people in another group, also each with different
cookies.

If a server requires a response to be private to just one client, it
can use "Cache-Control: private".

-- Jamie

Received on Wednesday, 3 June 2009 17:56:17 UTC