Can you cache the unknown? (was Re: Session-ID proposal)

Bob Wyman (bobwyman@medio.com)
Wed, 23 Aug 95 15:15:17 -0800


-- [ From: Bob Wyman * EMC.Ver #2.5.02 ] --

Is a caching proxy permitted to cache HTTP headers that it doesn't
understand?
Do existing caching proxies cache such headers?

I'm concerned that there may be a serious problem with use of Dave Kristol's
State-Info headers prior to general support by caching proxies of his
requirement that: "...cache... must not cache the State-Info header..." The
problem I see with this is one that must have already been exprienced with
Cookies if caching proxies cache headers they don't understand.

The problem is this: Imagine that I have a client that understands State-
Info and I request data from an origin-server that generates State-Info
headers. Imagine further that I make this request via a caching proxy that
does not understand State-Info but *does* cache headers it doesn't
understand. Now, if I make a request that ends up returning State-Info on an
otherwise cacheable page, the cache will cache not only the page returned
but also the State-Info header. Then, if anyone else (or 200 people) on "my
side" of the proxy makes a request for the same page, they will get *my*
State-Info. Also, if anyone else on myside of the proxy uses "my" state
before I finish my session, it is possible that I'll sudddenly discover new
stuff in my shopping cart that someone ordered...

It seems like this problem must already be getting experienced by anyone who
is using the Netscape cookie stuff. Does anyone know if it's a real problem?

Cookies and State-Info will probably not be the only examples of HTTP
headers whose improper caching can be dangerous. Perhaps I don't read the
specs clearly enough, but I can't find a general policy statement on whether
caches can cache unknown headers.

On a slightly different tack... It seems like this whole business of caching
is getting a bit complicated... It also seems that much of the data needed
to responsibly cache things is not covered in the HTTP specs themselves.
Rather, a serious cache writer would have to spend a good bit of time
reading www-talk, etc. to collect the necessary folk-lore. Adding alot of
information about caching in the HTTP spec could make it more complex then
neccessary. Thus, it would seem to me that it would be useful to put some
effort into building at least an "informational" RFC or IETF-Draft on the
subject of caching. Is someone already doing this? Would it make sense? If
it isn't being done and it does make sense, I think I'll volunteer to try to
fix this one...

bob wyman