Cache-control and Authentication

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Scott Lawrence: "Re: Cache-control and Authentication"
• Previous message: John Franks: "Re: GET with offset ?"
• Next in thread: Scott Lawrence: "Re: Cache-control and Authentication"
• Reply: Scott Lawrence: "Re: Cache-control and Authentication"

I'm attempting to get my head around the newest draft of 1.1, and was
wondering if someone could clarify this for me:

Let's say a server has content that clients access through a 1.1-capable
cache (this is internal, so it can be controlled). There is a section of
the content that requires basic authentication, but the content does not
change based upon that authentication; any user-specific changes
controlled by the path, query and parameters.

What is the correct way to allow caches to keep, and satisfy requests
from, a local copy, while still forcing the request to be revalidated
(In this instance, so that the different users are indeed authenticated,
as well as maintaining freshness, which is critical in this
application)?

that this can be done by server response headers that include

Cache-control: no-cache Authorization

authentication header, which will enable the cache to serve the local
request IF the user is authenticated, and IF the object has not changed.
Is this correct? Or would this be situation be covered by 

Cache-control: public


Thanks,



Mark Nottingham
Internet Project Manager
Merrill Lynch - Melbourne, Australia

• Next message: Scott Lawrence: "Re: Cache-control and Authentication"
• Previous message: John Franks: "Re: GET with offset ?"
• Next in thread: Scott Lawrence: "Re: Cache-control and Authentication"
• Reply: Scott Lawrence: "Re: Cache-control and Authentication"