Re: Questions (errata?) about caching authenticated responses [#174]

There's been some back-and-forth about the wording to use, but no concrete proposals.

There have also been questions about relative precedence of directives, but that seems like a separable issue.

I haven't seen anyone dispute that Authentication handling in the caching section is broken, or that this is an improvement over the current text.

So, I'm inclined to incorporate this text, and tweak it later as necessary.

On 01/06/2010, at 9:54 PM, Mark Nottingham wrote:

> Counter-proposal:
> Add a new section to p6:
> ---8<---
> Shared Caching of Authenticated Responses
> Shared caches MUST NOT use a cached response to a request with an Authorization [ref] header to satisfy any subsequent request unless a cache directive that allows such responses to be stored is present in the response.
> In this specification, the following Cache-Control response directives [ref] have such an effect: must-revalidate, public, s-maxage.
> Note that cached responses that contain the "must-revalidate" and/or "s-maxage" response directives are not allowed to be served stale [ref] by shared caches. In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server. 
> --->8---
> ... with appropriate changes to p6 2.1, 2.2, as well as the definitions of the Auth header and appropriate CC directives.

Mark Nottingham

Received on Thursday, 1 July 2010 20:57:27 UTC