- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 03 Feb 2010 14:34:02 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Feb 3, 2010, at 2:12 PM, Julian Reschke wrote: >> AFAICT, RFC 2616 only does a special case for the Authorization >> header, which leaves me wondering what shared caches do for other >> kinds of credentials, such as cookies or the NTLM authentication that > > Cookies require > > Vary: Cookie > > on the response. Or something more drastic. > >> Jonas referred to. For example, if an origin server responds to a >> request with cookies by sending a response with no Vary header and no >> Cache-Control: private or other disabling of caching, would the proxy >> use the response to respond to a later request without cookies? Do > > If it follows the applicable specs to the letter, yes (I believe). > >> proxies commonly implement a special case for the Cookie header, >> similar to the Authorization header? Do origin servers commonly have >> this bug? > > That would be interesting to find out. > > We know that "Vary" doesn't work well in practice because of all the bugs^^^^shortcomings in IE. I don't think I've ever seen a Web server send "Vary: Cookie". I don't know offhand if they consistently send enough cache control headers to prevent caching across users. Regards, Maciej
Received on Wednesday, 3 February 2010 22:34:37 UTC