[squid-users] set-cookie header and rfc2109

From: Angelo Höngens <a.hongens_at_netmatch.nl>
Date: Wed, 19 May 2010 22:22:36 +0200

Hey guys,

I have question about rfc compliancy in regard to caching set-cookie
headers. According to the faq, squid does not return set-cookie headers
for hits, and I am very happy that it works this way.

It does not really make sense to me for an application to send a
cache-control:public header and then set a cookie, but that aside. I had
a discussion with one the our developers, I want to see where in the
rfc's this behaviour is dictated.

The Squid faq says:


"The proper way to deal with Set-Cookie reply headers, according to RFC
2109 is to cache the whole object, EXCEPT the Set-Cookie header lines."

However, when I read rfc2109, I cannot find the directive that states
proxies must not cache these headers. On the contrary, the RFC talks
about "A Set-cookie header that is intended to be shared by multiple
users may be cached", and tells you that if you don't want to cache this
header, you should indicate so by setting the header "Cache-control:


"4.2.3 Controlling Caching

   An origin server must be cognizant of the effect of possible caching
   of both the returned resource and the Set-Cookie header. Caching
   "public" documents is desirable. For example, if the origin server
   wants to use a public document such as a "front door" page as a
   sentinel to indicate the beginning of a session for which a Set-
   Cookie response header must be generated, the page should be stored
   in caches "pre-expired" so that the origin server will see further
   requests. "Private documents", for example those that contain
   information strictly private to a session, should not be cached in
   shared caches.

   If the cookie is intended for use by a single user, the Set-cookie
   header should not be cached. A Set-cookie header that is intended to
   be shared by multiple users may be cached.

   The origin server should send the following additional HTTP/1.1
   response headers, depending on circumstances:

   * To suppress caching of the Set-Cookie header: Cache-control: no-
and a little down:

"4.5 Caching Proxy Role

   One reason for separating state information from both a URL and
   document content is to facilitate the scaling that caching permits.
   To support cookies, a caching proxy must obey these rules already in
   the HTTP specification:

   * Honor requests from the cache, if possible, based on cache validity

   * Pass along a Cookie request header in any request that the proxy
     must make of another server.

   * Return the response to the client. Include any Set-Cookie response

   * Cache the received response subject to the control of the usual
     headers, such as Expires, Cache-control: no-cache, and Cache-
     control: private,

   * Cache the Set-Cookie subject to the control of the usual header,
     Cache-control: no-cache="set-cookie". (The Set-Cookie header
     should usually not be cached.)

   Proxies must not introduce Set-Cookie (Cookie) headers of their own
   in proxy responses (requests)."

Is this a 'bug' in the documentation/squid, is it a well-considered
deviation from rfc, or am I missing something?

With kind regards,
Angelo Höngens
systems administrator
MCSE on Windows 2003
MCSE on Windows 2000
MS Small Business Specialist
tourism internet software solutions
Ringbaan Oost 2b
5013 CA Tilburg
+31 (0)13 5811088
+31 (0)13 5821239
Received on Wed May 19 2010 - 20:22:45 MDT

This archive was generated by hypermail 2.2.0 : Thu May 20 2010 - 12:00:06 MDT