Trawling through a few bugs, this one looks valid to me: namely, Set-Cookie headers should be enabled on 304 responses.
The current behaviour has a rationale, but I believe it's incorrectly applied. Set-Cookie is a response header and does not affect a cached entity body, so there's no reason to suppress it. The patch is a one-liner. Unless anyone can come up with a reason why it might open a security hole, I'll apply it. -- Nick Kew
