Today I got in contact with an interesting problem raised by a customer. He enabled output caching on his MOSS server machine and configured the output cache profile to use Cacheability “Public”:
This setting should add a “Cache-Control: public” http header to the response sent to a browser. “Cache-Control: public” allows caching of the item as well inside proxy servers and in the client browser cache.
What the customer noticed was that event that he set the Cacheability to public the Cache-Control header sent to his browsers was “Cache-Control: private”. “Cache-Control: private” allows caching of the item only in the Browser cache but not inside proxy servers.
Due to this Cache-Control header the MOSS server got hit by many more requests than expected.
What we found is that this behaviour was actually caused by a security feature of ASP.NET. Even that SharePoint added a “Cache-Control: public” header to the response ASP.NET changed this header to “Cache-Control: private” in the OnLeave method of the System.Web.Caching.OutputCacheModule.
So why did this OutputCacheModule change the Cache-Control header from public to private?
The answer is: MOSS was not configured for anonymous authentication. ASP.NET does not allow “Cache-Control: public” for authenticated requests. It enforces “Cache-Control: private”.
On second thought this makes perfectly sense: if the server requires authentication to view specific content then it would not be nice if a proxy server would cache the items and show it to the next user trying to see the same item even if he is not authenticated against the MOSS server. The proxy server would not have a chance to verify if this second user has rights to see the item or not.
E.g. lets assume that one of the sharepoint pages contains a web part that shows each user private information about his bank account. If the page would be cached in a proxy server the next user would not see his account information but the account information of the user who previously browsed to the same URL.
To avoid this the ASP.NET output caching module intercepts the response and replaces Cache-Control: public with Cache-Control: private if the response is for an authenticated request.
Enabling anonymous access on the site collection provided the customer with the required functionality.
As an administrator you have to decide what is more important for you: optimum security or optimum performance – you cannot have both.