Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 90271EED6 for ; Wed, 13 Mar 2013 23:56:54 +0000 (UTC) Received: (qmail 73314 invoked by uid 500); 13 Mar 2013 23:56:53 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 73256 invoked by uid 500); 13 Mar 2013 23:56:53 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 73248 invoked by uid 99); 13 Mar 2013 23:56:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Mar 2013 23:56:53 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ylavic.dev@gmail.com designates 209.85.210.170 as permitted sender) Received: from [209.85.210.170] (HELO mail-ia0-f170.google.com) (209.85.210.170) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Mar 2013 23:56:49 +0000 Received: by mail-ia0-f170.google.com with SMTP id h8so1545149iaa.29 for ; Wed, 13 Mar 2013 16:56:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=cI2bL3uwlQtFIe9x+gjg85rB5MWQP0uc5yhkMg1qSoE=; b=WDVwZm1WzeTrfG+jB8uMe4DR2v5pJqIH5shTyEDskVnGJ9/xNb+8BKUckKKM6C4rA8 g9/SOeO6kUVlie2d/mrigU95iChl4dyD4N8E78VrbTWTPBubGYYVAsvy02bqKwYn/1e6 ce6wu5VO1GrFZQQO5Bo/ItqhZxaTD8ir6GRuqMXuhj4kHP+gHhlVgb7r093su1ehHoLv Mj/hoEOZV53f0iz2FEyH+EP0DmRzDgdA78NklGgb48aT7t9kdIB5RI2hgiQl+7Buu1kk NWjuCa82+3TRVWOWf9FnzGsPg8HxLZNkXIXtsPiWy4dP9fPYBi7DD9j7ohe2irMKszGo rDbQ== MIME-Version: 1.0 X-Received: by 10.50.7.240 with SMTP id m16mr226995iga.91.1363218988831; Wed, 13 Mar 2013 16:56:28 -0700 (PDT) Received: by 10.43.9.137 with HTTP; Wed, 13 Mar 2013 16:56:28 -0700 (PDT) In-Reply-To: <6FC30D9B-42E8-4349-9E6B-E8500B1E12DA@jellybaby.net> References: <5A706E07-D227-4B0A-A428-909E27FA963B@sharp.fm> <6FC30D9B-42E8-4349-9E6B-E8500B1E12DA@jellybaby.net> Date: Thu, 14 Mar 2013 00:56:28 +0100 Message-ID: Subject: Re: mod_cache with Cache-Control no-cache= or private= From: Yann Ylavic To: dev@httpd.apache.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Mar 13, 2013 at 9:28 PM, Tim Bannister wrote: > Is this the situation you're worried about: > > ClientA: GET /foo HTTP/1.1 > ReverseProxy: GET /foo HTTP/1.1 > Origin: HTTP/1.1 200 OK > Origin: Set-Cookie: data=3DAAAAAA > Origin: Cache-Control: private=3DSet-Cookie > ReverseProxy: Set-Cookie: data=3DAAAAAA > ReverseProxy: Cache-Control: private=3DSet-Cookie > > ClientB: GET /foo HTTP/1.1 > ClientB: Cookie: data=3DBBBBBB > ReverseProxy: GET /foo HTTP/1.1 > ReverseProxy: Cookie: data=3DBBBBBBB > Origin: HTTP/1.1 304 Not Modified Yes, about what happens now, the ReverseProxy (mod_cache) must not "Set-Cookie: data=3DAAAAAA" to ClientB. > This should just work. The final reply from the cacheing reverse proxy sh= ould look like this: > ReverseProxy: HTTP/1.1 304 Not Modified > ReverseProxy: Date: =85 This actually does not work, mod_cache will serve the cached Set-Cookie. The CacheIgnoreHeaders directive only can prevent this (not controlled by the origin). The final reply to ClientB, whose request is not conditional, can also be : ReverseProxy: HTTP/1.1 200 OK ReverseProxy: Cache-Control: private=3DSet-Cookie ReverseProxy: That's the main goal I guess (limit backend hits for large things). > and the Set-Cookie: header from the stored request would not be used (in = fact, the proxy may have elected not to store it). The origin doesn't have = to mention that header in the 304 response. In mod_cache the "no-store" of a particular header is harder to patch than the "no-cache" (ie. do not serve without revalidation), but indeed the former would be more efficient, no need to "sanitize" each served response. For the "private=3D", the rfc does not say more than its BNF... If private has the same semantic as without the =3D, the header should not be stored (the "Cache-Control: private" response is not stored by mod_cache). In all cases, IMHO, no cached Set-Cookie should aver played by a cache with private/no-cache=3D"Set-Cookie" associated with the resource.