I have a problem where corporate proxy servers serves up the page for different logged in users. I reckon I can solve this issue by disabling proxy caching. This page suggests including the following snippet in htaccess:
ExpiresDefault A0
Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
Header set Pragma "no-cache"
As I've understood it (by Googling), the Expires header is only read by proxies, so I might also just use "Header set Expires 0"?
I suppose this would also prevent caching of stylesheets, images and other assets (although only by proxies, not browsers)?
What is the best way to deal with this? I'm running PHP, and can easily modify headers through PHP, too, if that's recommended.
I don't have access to a proxy server for testing.
From http 1.1 spec (RFC 2616) chapter 14.9.1
private
Indicates that all or part of the response message is intended for
a single user and MUST NOT be cached by a shared cache. This
allows an origin server to state that the specified parts of the
Header set Cache-Control "private, ..." does the trick.
There is no need for the Expires header. Cache-Control: max-age overrides the
Expires field. See RFC Section: 14.21
You should send different caching headers depending on the content you deliver.
The following example is for a website delivering static contents in /static and vary content for logged in users. Logged in users are identified by presence of the session cookie: MYSESSID.
- Allow 5min public caching by default
- Allow 365 days public caching on static files
- Allow 5min private caching for logged in users
- Deny caching at /dynamic/*
RewriteEngine On
# Flag files in /static as STATIC
RewriteRule ^static - [E=STATIC:1]
# Flag requests by logged in users as PRIVATE
# Users are identified by presence of MYSESSID cookie
# Ignores files in: /static
RewriteCond %{HTTP_COOKIE} MYSESSID
RewriteCond %{REQUEST_URI} !^/static
RewriteRule ^ - [E=PRIVATE:1]
# Tell proxy servers that contents not in /static vary based on the given cookies
RewriteCond %{REQUEST_URI} !^/static
RewriteRule ^ - [E=VARY:1]
# Flag requests to /dynamic as NO_CACHE
RewriteRule ^dynamic - [E=NO_CACHE:1]
## Default Cache-Control
# Per default, any content is public and 5min cacheable
Header set Cache-Control "public, max-age=300"
## Static Files
# Static files are public and 365d cacheable.
Header set Cache-Control "public, max-age=31536000" env=STATIC
# Reset age, indicates objects as fresh
Header set Age 0 env=STATIC
## Private responses
# private. Allow 5min caching
Header set Cache-Control "private, max-age=300" env=PRIVATE
## Deny caching
Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE
## Vary rules
Header append Vary: Cookie env=VARY
Use:
ExpiresActive On
ExpiresDefault now
Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform"
Header set Pragma "no-cache"