Graham Leggett wrote: > Ruediger Pluem wrote: > >> I agree that there are many situation where it does not make sense to >> cache things under access >> control, but there are ones where it makes sense. >> >> e.g. If you create a forward proxy with httpd that should use caching >> and that only >> a limited number of clients on your LAN should be able to use. > > Forward proxies using access control use the Proxy-Authenticate header, > which is entirely different access control to the WWW-Authenticate > header used in normal access control. The Cache-Control: private header > would not apply in this case. > >> So I agree with Paul that it should be configurable. > > Thinking about this for a bit, I don't think it should be configurable. > Adding "Cache-Control: private" to access controlled resources is part > of RFC2616, and this spec shouldn't be overriden lightly. > > If there is a compelling reason to support not adding Cache-Control: > private to authenticated requests, then it's definitely an option, but I > think we should default to the safe option for now.
The compelling reason is that this implies that even for the DEFAULT configuration of apache, we should be sending cache-control private, for EVERY page served. That is bad. bad bad bad bad bad bad bad bad bad bad bad. Did I mention that is bad? We need a better solution. This also implies that if we you use mod_rewrite based on any non-Varied-Header information, you should be setting Cache-Control: Private too. -Paul
