Re: cookie problems

From: Henrik Nordstrom <>
Date: Wed, 27 Oct 1999 00:03:27 +0200

Dave J Woolley wrote:

> As I understand it, if you provide a cookie, a public
> cache, like squid, may cache it unless you set cache-control:
> private.

True, but HTTP/1.1 allows far more detailed control than all or nothing.
If the page content is public but the cookie is private then only the
Set-Cookie header needs to be marked as private:
        Cache-Control: private="Set-Cookie"

If the page content is public, but the server needs to always be
contacted to generate a private cookie then the headers should read:
        Cache-Control: private="Set-Cookie" proxy-revalidate
Telling any proxy caches that the Set-Cookie header is private, and the
page must be revalidated on each request to get a fresh Set-Cookie

The key issue is that if the cookie is private, then it MUST be marked
as private or it may be cached by caches as any other public content.

Squid (as of 2.2.STABLE5) will never cache any cookies. It will always
handle the responses as if 'Cache-Control: private="Set-Cookie"' was
present. This comes from an old Cookie specification for Netscape
predating the Cache-Control header..

Also, I do not think Squid properly handles any of this at the moment.

Henrik Nordstrom
Squid hacker
Received on Tue Oct 26 1999 - 16:21:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:05 MST