Update: Session Management - caching guidelines #1499
Labels
ACK_WAITING
Issue waiting acknowledgement from core team before to start the work to fix it.
HELP_WANTED
Issue for which help is wanted to do the job.
UPDATE_CS
Issue about the update/refactoring of a existing cheat sheet.
Comments
SnowdenWintermute
added
ACK_WAITING
|
I think sending no-store is also a good idea and will not harm the cookie flow at all. |
|
@jmanico do you want to make any changes to the cheatsheet because of this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the Web Content Caching section it says:
"Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID (see here)."
But I am confused because MDN says (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control)
"Note that no-cache does not mean "don't cache". no-cache allows caches to store a response but requires them to revalidate it before reuse. If the sense of "don't cache" that you want is actually "don't store", then no-store is the directive to use."
So does this mean we should be using sending the
no-storedirective with any response from our server which includes a header ofset-cookie: sessionid=someid?The text was updated successfully, but these errors were encountered: