11

My reading of the definition of the 'private' directive for the Cache-Control header is that it will prevent any part of the response from being cached by intermediate proxies. So based on that, it sounds like if I'm using the 'private' directive then there's no need to also use a 'no-cache="set-cookie"' directive to tell intermediate proxies to suppress caching of the Set-Cookie header.

However, in section 4.2.3 in this document, it says:

The origin server should send the following additional HTTP/1.1 response headers, depending on circumstances:

  • To suppress caching of the Set-Cookie header: Cache-control: no-cache="set-cookie".

    and one of the following:

  • To suppress caching of a private document in shared caches: Cache-control: private.

    [...]

and I see a ton of examples online that have both directives.

So do I really need both of those to prevent intermediate proxies from caching a Set-Cookie header? I've been doing some testing, and it seems like Internet Explorer is responding to the 'no-cache="set-cookie"' directive by issuing a full request every subsequent time, so I'd rather not include it if it's not necessary.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
Philip Wilcox
  • 113
  • 1
  • 1
  • 6

1 Answers1

5

Cache-Control: Private will stop intermediary caches from storing the content, so the set-cookie directive isn't applicable in this case.

Alexis Wilke
  • 19,179
  • 10
  • 84
  • 156
Andy Davies
  • 5,794
  • 2
  • 26
  • 21
  • 3
    but Google Analytics 1x1 gif is still using this header value: private, no-cache, no-cache=Set-Cookie, proxy-revalidate – Valentin V Mar 11 '15 at 11:12
  • @Valentin That's probably because some browsers and proxies understand better things that are spelled out to them. – Alexis Wilke Aug 13 '18 at 04:45
  • my server is laravel and when i send a token for anonymoys api it returned this error : HTTP/1.0 401 Unauthorized Cache-Control: no-cache, private Content-Type: application/json Date: Sun, 26 Jul 2020 05:07:39 GMT {"success":false,"error":[{"code":401,"message":"unauthorized"}]} how can i config laravel to send only json to clients? – saber tabatabaee yazdi Jul 26 '20 at 05:09