- From: Bob Wyman <bobwyman@medio.com>
- Date: Wed, 23 Aug 95 15:15:17 -0800
- To: "www-talk@w3.org" <www-talk@w3.org>
-- [ From: Bob Wyman * EMC.Ver #2.5.02 ] -- Is a caching proxy permitted to cache HTTP headers that it doesn't understand? Do existing caching proxies cache such headers? I'm concerned that there may be a serious problem with use of Dave Kristol's State-Info headers prior to general support by caching proxies of his requirement that: "...cache... must not cache the State-Info header..." The problem I see with this is one that must have already been exprienced with Cookies if caching proxies cache headers they don't understand. The problem is this: Imagine that I have a client that understands State- Info and I request data from an origin-server that generates State-Info headers. Imagine further that I make this request via a caching proxy that does not understand State-Info but *does* cache headers it doesn't understand. Now, if I make a request that ends up returning State-Info on an otherwise cacheable page, the cache will cache not only the page returned but also the State-Info header. Then, if anyone else (or 200 people) on "my side" of the proxy makes a request for the same page, they will get *my* State-Info. Also, if anyone else on myside of the proxy uses "my" state before I finish my session, it is possible that I'll sudddenly discover new stuff in my shopping cart that someone ordered... It seems like this problem must already be getting experienced by anyone who is using the Netscape cookie stuff. Does anyone know if it's a real problem? Cookies and State-Info will probably not be the only examples of HTTP headers whose improper caching can be dangerous. Perhaps I don't read the specs clearly enough, but I can't find a general policy statement on whether caches can cache unknown headers. On a slightly different tack... It seems like this whole business of caching is getting a bit complicated... It also seems that much of the data needed to responsibly cache things is not covered in the HTTP specs themselves. Rather, a serious cache writer would have to spend a good bit of time reading www-talk, etc. to collect the necessary folk-lore. Adding alot of information about caching in the HTTP spec could make it more complex then neccessary. Thus, it would seem to me that it would be useful to put some effort into building at least an "informational" RFC or IETF-Draft on the subject of caching. Is someone already doing this? Would it make sense? If it isn't being done and it does make sense, I think I'll volunteer to try to fix this one... bob wyman
Received on Wednesday, 23 August 1995 18:24:12 UTC