Taking a look through the Squid documentation, their behaviour
(which is claimed to be RFC compliant) is
- Do not cache anything with Cache-Control:
{Private|No-Cache|No-Store}
- Consider as cacheable if ANY of Date,
Last-Modified, and Expires are present
- Ignore Cookie/Set-Cookie in
requests/responses for purposes of cacheability (but filter
Set-Cookie out of CACHE_HIT responses)
So (acording to the Squid folks), proxies are perfectly justified in
caching default ACS pages, because while there are no
Expires or
Last-Modified headers returned, the
presence of
Date implies that the server knows how to
keep track of time, and it isn't saying that the object is potentially
stale, so it must be OK. Likewise the presence of cookies is
irrelevant to cacheability.
I'd lean towards sticking non-cacheability headers in the
master template, with an optional property pages could set
saying "I'm cacheable until..."
On another note, it's interesting to see IIS set
Cache-control: private on static pages... you might want
to take a look at that...
