Cache-Control: 'private' makes 'no-cache="set-cookie"' unnecessary?

Philip Wilcox picture Philip Wilcox · Oct 10, 2012 · Viewed 14k times · Source

My reading of the definition of the 'private' directive for the Cache-Control header is that it will prevent any part of the response from being cached by intermediate proxies. So based on that, it sounds like if I'm using the 'private' directive then there's no need to also use a 'no-cache="set-cookie"' directive to tell intermediate proxies to suppress caching of the Set-Cookie header.

However, in section 4.2.3 in this document, it says:

The origin server should send the following additional HTTP/1.1 response headers, depending on circumstances:

  • To suppress caching of the Set-Cookie header: Cache-control: no-cache="set-cookie".

    and one of the following:

  • To suppress caching of a private document in shared caches: Cache-control: private.

    [...]

and I see a ton of examples online that have both directives.

So do I really need both of those to prevent intermediate proxies from caching a Set-Cookie header? I've been doing some testing, and it seems like Internet Explorer is responding to the 'no-cache="set-cookie"' directive by issuing a full request every subsequent time, so I'd rather not include it if it's not necessary.

Answer

Andy Davies picture Andy Davies · Oct 18, 2012

Cache-Control: Private will stop intermediary caches from storing the content, so the set-cookie directive isn't applicable in this case.