Cache and Authentication
When can responses to autheticated requests be returned to
other users? The current draft spec includes a statement
that if the request includes Authentication: then the response
is not cachable in such a way that other users could see it.
Proposal: if the response contains "Cache-control: public"
then this overrides that rule.
ACTION ITEM: Jeff Mogul will clarify the language regarding what
this means (in particular, what "shared" means).
Larry:
One might consider the authenticator merely to be another item on
which response varies; that is, 'wrong authentication' =
authentication error and 'right authentication' = value as appropriate
to that authenticator. It is up to the origin server to decide whether
it cares whether proxies cache results. While the default is that the
result varies on the authenticator and that responses cannot be
cached, origin servers might override that default by supplying a
response that has an Expires and a vary clause that denotes either
that "this response does not vary on authenticator" (e.g., you may
serve it to anyone who comes along, authenticated or no) or "this
response does vary on authenticator" (e.g., you may serve this to any
client that supplies the same credentials.)
This all only makes sense for basic authentication or for clients that
use digest authentication.
The current Vary: proposal allows you to say
"this response does NOT depend on the Authentication: request header."
This mechanism would be more general than "Cache-control: public".
http working group issues