Wednesday, April 1, 2009

Cache-Control: public and Session


Recently one of our developers reported that session variables are not kept for him and asked me to look into.
After a couple of hours of investigation, I finally came to conclude that this is probably because he set Cache-Control to public in his page.

The below is my conclusion.
When Cache-Control is set tp public with your page, it is undestood that the page is the same for everybody at any time.
When a proxy server sees it, it caches the page, and the cookie, where your session is stored, will not reach the user browser.
Consequently, when the user makes the next request to your server, no cookie will be sent. The server sees it as a new session.

That the cookie does not reach the client is true. I do not see the Set-Cookie header in the response. I would see it if Cache-Control is set to private, the default.
But I was surprised by two things.

One: I found nobody talks specifically about this on the net. I think this is a pitfall that we could fall into easily.
Many says that when the page requires authentication, it has to be private, without explaining why in detail. So you may not see it related.

Two: By the fact that proxy strips cookie when Cache-Control is set to public.
Mmm… Maybe… because it first caches the response and then send it to you. Anyway, it was good to know

No comments: