RE: cookie problems from Dave J Woolley on 1999-10-26 (squid-users)

From: Dave J Woolley <DJW@dont-contact.us>
Date: Tue, 26 Oct 1999 19:20:05 +0100

> From: Blue Lang [SMTP:blue@calico.gator.net]
>
> I tried to follow this thread back, but got lost. Can you possibly
> elaborate on that last bit a little? Is the issue that no page with a
> cookie will ever be cached, or is something more sinister going on?
>
        As I understand it, if you provide a cookie, a public
        cache, like squid, may cache it unless you set cache-control:
        private.

        Generally, you don't want to set cookies unless they
        correlate to an individual, so normally you will want to
        set cache-control: private on all cookies.

        However, setting cache-control: private defeats cacheing,
        so you want to do it as little as possible. This isn't
        a problem if people accept cookies, but many, like me,
        will reject all persistent cookies and only accept session
        cookies if they can see a legitimate need for them. If
        your application insists on setting cookies when the user
        doesn't want them, it will always have to make the page
        non-cacheable - people who reject cookies are normally
        prepared to accept a performance penalty for their
        increased privacy.

        To expand on what I was saying, if there is a strong case,
        as perceived by the users, for session cookies, you could
        record the fact that persistent cookies were refused, but
        if no cookies at all have been accepted, the only way to
        maintain cacheability without losing that reader (which you
        might consider an acceptable loss if you are using cookies
        to track individuals rather than for statistical purposes)
        is to only try and set them on a small entry page to the
        site.

        Once you have set cookies, it should be sufficient to set max-age=0
        to force a default configured proxy to pass them back on every
        access, but as a conditional get. (Many squid users, particularly
        in poor countries, override max-age=0 in order to improve their
        access latency.)

        Note this is mainly from a consumer point of view, with a
        knowledge of how caches and cookies work. Supplier side
        priorities are often very different.
Received on Tue Oct 26 1999 - 12:40:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:49:05 MST