It depends on the proxy and on the Vary response-header. In general, proxies will not cache a response to a request that has a Cookie header. However, that is not really guaranteed.
When you specify your Cache-Control header with the directive public, you are asking proxies to share the cache between different clients. That is presumably not your intention, so you should specify private instead. See: http://www.mnot.net/cache_docs/#CACHE-CONTROL
What would be the difference as far as cookie cacheing on the proxy server?
Not really. All it does is it tells the proxy that it shouldn't serve from a stale cache. It doesn't affect how the cache is controlled.
Will cookies be cached on the proxy server when these kinds of files are accessed? Or is the cacheing the same as static files?
For a http level piece of software (e.g. a proxy), there is no difference between static and dynamic content. Cookies are merely http-headers that are sent with a request (Cookie header) or sent with a response (Set-Cookie headers)
If you set a cookie in the browser (either through Javascript or from the server side, through a Set-Cookie header), the browser will send the cookie back with all subsequent requests to the same domain. It does this by adding a Cookie header with the requests.
Edit:
I do want my actual files to be cached on the proxy, but not individual users' cookies. How do I do this?
You need to avoid caching any response that either:
Contains a Set-Cookie header (Since this would get cached by the proxy)
There is a side effect on the server side (E.g. it's important for your application to receive the request - For example, it wouldn't make sense to cache a tracking pixel)
Where the contents of the requests Cookie header determines what gets rendered (E.g. printing "Welcome back, John Doe" or other customisation)
How exactly you'll do that depends on your backend technology. It's your application that knows whether the Cookie header is significant for the response or whether a response could potentially contain a Set-Cookie header.
In the application framework that I use, there is a function for setting cache-by-expires headers. If I call that and within the same request access cookies, I'll get an error. This ensures that I don't accidentally ask a proxy to cache private content. You need a similar logic implemented in your application.
Alternatively, you can configure an edge-level proxy to do the same thing. That's usually done if you don't control the application completely.
If I have files using header Cache-Control "max-age=604800, public", will any request cookies (Cookie) or response cookies (Set-Cookie) be transferred to another user's computer (since its in the cache)? Or will it be cached only for that individual user's browsing?
The request cookies are not cached and will not be transferred anywhere. The response (Set-Cookie) is cached. Since you specify cache-control as public, it will be shared amongst all clients. Note that even though the request cookie isn't directly cached, if you render something in the page, that relies on cookies (E.g. if you use the cookie for server side session state, such as authentication), you will cache the personalised response.
What about if the setting is Cache-Control "max-age=7200, proxy-revalidate"? Thanks again.
Same thing. proxy-revalidate informs any proxies (if there are any) that they may not serve a stale cache. E.g. once the 7200 seconds have passed, the cache should be purged immediately. Without this, caches will generally keep serving a stale cache and then fetch a fresh copy in the background, once the timeout has been reached. Or not - Depends on the proxy.
发布评论
评论(1)
它取决于代理和
Vary响应标头。一般来说,代理不会缓存对具有 Cookie 标头的请求的响应。然而,这并不能真正保证。当您使用指令
public指定Cache-Control标头时,您是在要求代理在不同客户端之间共享缓存。这可能不是您的意图,因此您应该指定private。请参阅:http://www.mnot.net/cache_docs/#CACHE-CONTROL并不真地。它所做的只是告诉代理它不应该从陈旧的缓存中提供服务。它不影响缓存的控制方式。
对于http级别的软件(例如代理),静态内容和动态内容没有区别。 Cookie 只是随请求(
Cookie标头)发送或与响应(Set-Cookie标头)一起发送的 http 标头。无论是通过 Javascript 还是从服务器端通过
Set-Cookie标头),浏览器都会将 cookie 与所有后续请求一起发送回同一域。它通过在请求中添加Cookie标头来实现此目的。编辑:
您需要避免缓存以下任何响应:
Set-Cookie标头(因为这会被代理缓存)Cookie标头的内容决定渲染的内容(例如打印“欢迎回来,John Doe”或其他定制)究竟如何你会这样做取决于你的后端技术。您的应用程序知道
Cookie标头对于响应是否重要,或者响应是否可能包含Set-Cookie标头。在我使用的应用程序框架中,有一个用于设置cache-by-expires headers的功能。如果我调用它并在同一请求中访问 cookie,我会收到错误消息。这可以确保我不会意外地要求代理缓存私有内容。您需要在应用程序中实现类似的逻辑。
或者,您可以配置边缘级代理来执行相同的操作。如果您不完全控制应用程序,通常会这样做。
请求 cookie 不会被缓存,也不会被传输到任何地方。响应(
Set-Cookie)被缓存。由于您将cache-control指定为 public,因此它将在所有客户端之间共享。请注意,即使请求 cookie 没有直接缓存,如果您在页面中渲染依赖于 cookie 的内容(例如,如果您将 cookie 用于服务器端会话状态,例如身份验证),您将缓存个性化响应。同样的事情。
proxy-revalidate通知任何代理(如果有的话)它们可能不会提供过时的缓存。例如,一旦超过 7200 秒,应立即清除缓存。如果没有这个,缓存通常会继续提供陈旧的缓存,然后一旦达到超时,就会在后台获取新的副本。或不 - 取决于代理。It depends on the proxy and on the
Varyresponse-header. In general, proxies will not cache a response to a request that has aCookieheader. However, that is not really guaranteed.When you specify your
Cache-Controlheader with the directivepublic, you are asking proxies to share the cache between different clients. That is presumably not your intention, so you should specifyprivateinstead. See: http://www.mnot.net/cache_docs/#CACHE-CONTROLNot really. All it does is it tells the proxy that it shouldn't serve from a stale cache. It doesn't affect how the cache is controlled.
For a http level piece of software (e.g. a proxy), there is no difference between static and dynamic content. Cookies are merely http-headers that are sent with a request (
Cookieheader) or sent with a response (Set-Cookieheaders)If you set a cookie in the browser (either through Javascript or from the server side, through a
Set-Cookieheader), the browser will send the cookie back with all subsequent requests to the same domain. It does this by adding aCookieheader with the requests.Edit:
You need to avoid caching any response that either:
Set-Cookieheader (Since this would get cached by the proxy)Cookieheader determines what gets rendered (E.g. printing "Welcome back, John Doe" or other customisation)How exactly you'll do that depends on your backend technology. It's your application that knows whether the
Cookieheader is significant for the response or whether a response could potentially contain aSet-Cookieheader.In the application framework that I use, there is a function for setting cache-by-expires headers. If I call that and within the same request access cookies, I'll get an error. This ensures that I don't accidentally ask a proxy to cache private content. You need a similar logic implemented in your application.
Alternatively, you can configure an edge-level proxy to do the same thing. That's usually done if you don't control the application completely.
The request cookies are not cached and will not be transferred anywhere. The response (
Set-Cookie) is cached. Since you specifycache-controlas public, it will be shared amongst all clients. Note that even though the request cookie isn't directly cached, if you render something in the page, that relies on cookies (E.g. if you use the cookie for server side session state, such as authentication), you will cache the personalised response.Same thing.
proxy-revalidateinforms any proxies (if there are any) that they may not serve a stale cache. E.g. once the 7200 seconds have passed, the cache should be purged immediately. Without this, caches will generally keep serving a stale cache and then fetch a fresh copy in the background, once the timeout has been reached. Or not - Depends on the proxy.