I read http://code.google.com/speed/page-speed/docs/caching.html. It says that proxy servers may cache cookies. I need clarification.
Let's say I have this header for my files: Cache-Control "max-age=604800, public"
Q.1. With this header, will the cookies from a person's computer be cached on the proxy server when a static file is accessed? (Then, would the next person to access the file pick up the other person's cookies?)
Now, let's say the cache code went like Cache-Control "max-age=7200, proxy-revalidate"
instead.
Q.2. What would be the difference as far as cookie cacheing on the proxy server?
Now I have a question about files that actually set cookies (such as Javascript or PHP).
Q.3. Will cookies be cached on the proxy server when these kinds of files are accessed? Or is the cacheing the same as static files?
In case you are wondering, the reason I ask these things is because I do not one person's cookies to be proxy cached, and thus transferred to another person. So any clarification would really help. Thank you so much!
Edit:
Thank you very much for all the help. But I still need a little more clarification.
If I have files using header Cache-Control "max-age=604800, public"
, will any request cookies (Cookie
) or response cookies (Set-Cookie
) be transferred to another user's computer (since its in the cache)? Or will it be cached only for that individual user's browsing? What about if the setting is Cache-Control "max-age=7200, proxy-revalidate"
? Thanks again.
It depends on the proxy and on the Vary
response-header. In general, proxies will not cache a response to a request that has a Cookie
header. However, that is not really guaranteed.
When you specify your Cache-Control
header with the directive public
, you are asking proxies to share the cache between different clients. That is presumably not your intention, so you should specify private
instead. See: http://www.mnot.net/cache_docs/#CACHE-CONTROL
What would be the difference as far as cookie cacheing on the proxy server?
Not really. All it does is it tells the proxy that it shouldn't serve from a stale cache. It doesn't affect how the cache is controlled.
Will cookies be cached on the proxy server when these kinds of files are accessed? Or is the cacheing the same as static files?
For a http level piece of software (e.g. a proxy), there is no difference between static and dynamic content. Cookies are merely http-headers that are sent with a request (Cookie
header) or sent with a response (Set-Cookie
headers)
If you set a cookie in the browser (either through Javascript or from the server side, through a Set-Cookie
header), the browser will send the cookie back with all subsequent requests to the same domain. It does this by adding a Cookie
header with the requests.
Edit:
I do want my actual files to be cached on the proxy, but not individual users' cookies. How do I do this?
You need to avoid caching any response that either:
Set-Cookie
header (Since this would get cached by the proxy)Cookie
header determines what gets rendered (E.g. printing "Welcome back, John Doe" or other customisation)How exactly you'll do that depends on your backend technology. It's your application that knows whether the Cookie
header is significant for the response or whether a response could potentially contain a Set-Cookie
header.
In the application framework that I use, there is a function for setting cache-by-expires headers. If I call that and within the same request access cookies, I'll get an error. This ensures that I don't accidentally ask a proxy to cache private content. You need a similar logic implemented in your application.
Alternatively, you can configure an edge-level proxy to do the same thing. That's usually done if you don't control the application completely.
If I have files using header Cache-Control "max-age=604800, public", will any request cookies (Cookie) or response cookies (Set-Cookie) be transferred to another user's computer (since its in the cache)? Or will it be cached only for that individual user's browsing?
The request cookies are not cached and will not be transferred anywhere. The response (Set-Cookie
) is cached. Since you specify cache-control
as public, it will be shared amongst all clients. Note that even though the request cookie isn't directly cached, if you render something in the page, that relies on cookies (E.g. if you use the cookie for server side session state, such as authentication), you will cache the personalised response.
What about if the setting is Cache-Control "max-age=7200, proxy-revalidate"? Thanks again.
Same thing. proxy-revalidate
informs any proxies (if there are any) that they may not serve a stale cache. E.g. once the 7200 seconds have passed, the cache should be purged immediately. Without this, caches will generally keep serving a stale cache and then fetch a fresh copy in the background, once the timeout has been reached. Or not - Depends on the proxy.