Cache and Authentication

When can responses to autheticated requests be returned to other users? The current draft spec includes a statement that if the request includes Authentication: then the response is not cachable in such a way that other users could see it.

Proposal: if the response contains "Cache-control: public" then this overrides that rule.

ACTION ITEM: Jeff Mogul will clarify the language regarding what this means (in particular, what "shared" means).

One might consider the authenticator merely to be another item on which response varies; that is, 'wrong authentication' = authentication error and 'right authentication' = value as appropriate to that authenticator. It is up to the origin server to decide whether it cares whether proxies cache results. While the default is that the result varies on the authenticator and that responses cannot be cached, origin servers might override that default by supplying a response that has an Expires and a vary clause that denotes either that "this response does not vary on authenticator" (e.g., you may serve it to anyone who comes along, authenticated or no) or "this response does vary on authenticator" (e.g., you may serve this to any client that supplies the same credentials.)

This all only makes sense for basic authentication or for clients that use digest authentication.

The current Vary: proposal allows you to say "this response does NOT depend on the Authentication: request header."

This mechanism would be more general than "Cache-control: public".

http working group issues