Proxy cacheing - What about cookies?

Hope4You picture Hope4You · Feb 17, 2012 · Viewed 17.1k times · Source

I read http://code.google.com/speed/page-speed/docs/caching.html. It says that proxy servers may cache cookies. I need clarification.


Let's say I have this header for my files: Cache-Control "max-age=604800, public"
Q.1. With this header, will the cookies from a person's computer be cached on the proxy server when a static file is accessed? (Then, would the next person to access the file pick up the other person's cookies?)


Now, let's say the cache code went like Cache-Control "max-age=7200, proxy-revalidate" instead.
Q.2. What would be the difference as far as cookie cacheing on the proxy server?


Now I have a question about files that actually set cookies (such as Javascript or PHP).
Q.3. Will cookies be cached on the proxy server when these kinds of files are accessed? Or is the cacheing the same as static files?


In case you are wondering, the reason I ask these things is because I do not one person's cookies to be proxy cached, and thus transferred to another person. So any clarification would really help. Thank you so much!


Edit:
Thank you very much for all the help. But I still need a little more clarification.

If I have files using header Cache-Control "max-age=604800, public", will any request cookies (Cookie) or response cookies (Set-Cookie) be transferred to another user's computer (since its in the cache)? Or will it be cached only for that individual user's browsing? What about if the setting is Cache-Control "max-age=7200, proxy-revalidate"? Thanks again.

Answer

troelskn picture troelskn · Feb 17, 2012

It depends on the proxy and on the Vary response-header. In general, proxies will not cache a response to a request that has a Cookie header. However, that is not really guaranteed.

When you specify your Cache-Control header with the directive public, you are asking proxies to share the cache between different clients. That is presumably not your intention, so you should specify private instead. See: http://www.mnot.net/cache_docs/#CACHE-CONTROL

What would be the difference as far as cookie cacheing on the proxy server?

Not really. All it does is it tells the proxy that it shouldn't serve from a stale cache. It doesn't affect how the cache is controlled.

Will cookies be cached on the proxy server when these kinds of files are accessed? Or is the cacheing the same as static files?

For a http level piece of software (e.g. a proxy), there is no difference between static and dynamic content. Cookies are merely http-headers that are sent with a request (Cookie header) or sent with a response (Set-Cookie headers)

If you set a cookie in the browser (either through Javascript or from the server side, through a Set-Cookie header), the browser will send the cookie back with all subsequent requests to the same domain. It does this by adding a Cookie header with the requests.

Edit:

I do want my actual files to be cached on the proxy, but not individual users' cookies. How do I do this?

You need to avoid caching any response that either:

  • Contains a Set-Cookie header (Since this would get cached by the proxy)
  • There is a side effect on the server side (E.g. it's important for your application to receive the request - For example, it wouldn't make sense to cache a tracking pixel)
  • Where the contents of the requests Cookie header determines what gets rendered (E.g. printing "Welcome back, John Doe" or other customisation)

How exactly you'll do that depends on your backend technology. It's your application that knows whether the Cookie header is significant for the response or whether a response could potentially contain a Set-Cookie header.

In the application framework that I use, there is a function for setting cache-by-expires headers. If I call that and within the same request access cookies, I'll get an error. This ensures that I don't accidentally ask a proxy to cache private content. You need a similar logic implemented in your application.

Alternatively, you can configure an edge-level proxy to do the same thing. That's usually done if you don't control the application completely.

If I have files using header Cache-Control "max-age=604800, public", will any request cookies (Cookie) or response cookies (Set-Cookie) be transferred to another user's computer (since its in the cache)? Or will it be cached only for that individual user's browsing?

The request cookies are not cached and will not be transferred anywhere. The response (Set-Cookie) is cached. Since you specify cache-control as public, it will be shared amongst all clients. Note that even though the request cookie isn't directly cached, if you render something in the page, that relies on cookies (E.g. if you use the cookie for server side session state, such as authentication), you will cache the personalised response.

What about if the setting is Cache-Control "max-age=7200, proxy-revalidate"? Thanks again.

Same thing. proxy-revalidate informs any proxies (if there are any) that they may not serve a stale cache. E.g. once the 7200 seconds have passed, the cache should be purged immediately. Without this, caches will generally keep serving a stale cache and then fetch a fresh copy in the background, once the timeout has been reached. Or not - Depends on the proxy.