Proxy Server, Cache-Control http header, ASP.NET and MOSS 2007

Today I got in contact with an interesting problem raised by a customer. He enabled output caching on his MOSS server machine and configured the output cache profile to use Cacheability “Public”:

This setting should add a “Cache-Control: public” http header to the response sent to a browser. “Cache-Control: public” allows caching of the item as well inside proxy servers and in the client browser cache.

What the customer noticed was that event that he set the Cacheability to public the Cache-Control header sent to his browsers was “Cache-Control: private”. “Cache-Control: private” allows caching of the item only in the Browser cache but not inside proxy servers.

Due to this Cache-Control header the MOSS server got hit by many more requests than expected.

What we found is that this behaviour was actually caused by a security feature of ASP.NET. Even that SharePoint added a “Cache-Control: public” header to the response ASP.NET changed this header to “Cache-Control: private” in the OnLeave method of the System.Web.Caching.OutputCacheModule.

So why did this OutputCacheModule change the Cache-Control header from public to private?

The answer is: MOSS was not configured for anonymous authentication. ASP.NET does not allow “Cache-Control: public” for authenticated requests. It enforces “Cache-Control: private”.

On second thought this makes perfectly sense: if the server requires authentication to view specific content then it would not be nice if a proxy server would cache the items and show it to the next user trying to see the same item even if he is not authenticated against the MOSS server. The proxy server would not have a chance to verify if this second user has rights to see the item or not.

E.g. lets assume that one of the sharepoint pages contains a web part that shows each user private information about his bank account. If the page would be cached in a proxy server the next user would not see his account information but the account information of the user who previously browsed to the same URL.

To avoid this the ASP.NET output caching module intercepts the response and replaces Cache-Control: public with Cache-Control: private if the response is for an authenticated request.

Enabling anonymous access on the site collection provided the customer with the required functionality.

As an administrator you have to decide what is more important for you: optimum security or optimum performance – you cannot have both.


  1. Interesting…we are facing a situation with our anonymous MOSS site…we have a customer login control that shows if a user is logged in or not…however when we have output caching enabled the code behind of the server control does not get hit…any idea how to ensure this doesn’t happen…

    so when a user is logged in and the control is cached…and they hit logout the uyser is never logged out because the code behind is not hit


  2. Hi Ali,

    that is the purpose of output caching: to prevent code from being run and to serve content from the cache.

    You cannot have both: output caching and your code to be run for each request.




  3. You cannot have both: output caching and your code to be run for each request.

    nice site thx


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.