Ruediger Pluem wrote:
I agree that there are many situation where it does not make sense to cache things under access control, but there are ones where it makes sense.e.g. If you create a forward proxy with httpd that should use caching and that only a limited number of clients on your LAN should be able to use.
Forward proxies using access control use the Proxy-Authenticate header, which is entirely different access control to the WWW-Authenticate header used in normal access control. The Cache-Control: private header would not apply in this case.
So I agree with Paul that it should be configurable.
Thinking about this for a bit, I don't think it should be configurable. Adding "Cache-Control: private" to access controlled resources is part of RFC2616, and this spec shouldn't be overriden lightly.
If there is a compelling reason to support not adding Cache-Control: private to authenticated requests, then it's definitely an option, but I think we should default to the safe option for now.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
