I have a problem where corporate proxy servers serves up the page for different logged in users. I reckon I can solve this issue by disabling proxy caching. This page suggests i
From http 1.1 spec (RFC 2616) chapter 14.9.1
private
Indicates that all or part of the response message is intended for
a single user and MUST NOT be cached by a shared cache. This
allows an origin server to state that the specified parts of the
Header set Cache-Control "private, ..." does the trick.
There is no need for the Expires header. Cache-Control: max-age overrides the Expires field. See RFC Section: 14.21
You should send different caching headers depending on the content you deliver.
The following example is for a website delivering static contents in /static and vary content for logged in users. Logged in users are identified by presence of the session cookie: MYSESSID.
RewriteEngine On
# Flag files in /static as STATIC
RewriteRule ^static - [E=STATIC:1]
# Flag requests by logged in users as PRIVATE
# Users are identified by presence of MYSESSID cookie
# Ignores files in: /static
RewriteCond %{HTTP_COOKIE} MYSESSID
RewriteCond %{REQUEST_URI} !^/static
RewriteRule ^ - [E=PRIVATE:1]
# Tell proxy servers that contents not in /static vary based on the given cookies
RewriteCond %{REQUEST_URI} !^/static
RewriteRule ^ - [E=VARY:1]
# Flag requests to /dynamic as NO_CACHE
RewriteRule ^dynamic - [E=NO_CACHE:1]
## Default Cache-Control
# Per default, any content is public and 5min cacheable
Header set Cache-Control "public, max-age=300"
## Static Files
# Static files are public and 365d cacheable.
Header set Cache-Control "public, max-age=31536000" env=STATIC
# Reset age, indicates objects as fresh
Header set Age 0 env=STATIC
## Private responses
# private. Allow 5min caching
Header set Cache-Control "private, max-age=300" env=PRIVATE
## Deny caching
Header set Cache-Control "private, max-age=0, no-cache, no-store, must-revalidate" env=NO_CACHE
## Vary rules
Header append Vary: Cookie env=VARY