Caching headers for static content: cache-control: private is send for authenticated users?


Hi everybody.

We have setup caching for static content as described in, and it works fine for anonymous users. However, when a user is logged in to Episerver cache-control:private is send in the response instead.

As we are using authentication for our end-users (we are provinding an extranet), it does not make any sense for us not to cache static content for those users.

Anyone who knows why cache-control: private is used by Episerver when a user is authenticated?

Our relevante sections in web.config are as follows:

      <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="365.00:00:00" setEtag="false" />
      <remove fileExtension=".woff" />
      <remove fileExtension=".woff2" />
      <remove fileExtension=".otf" />
      <remove fileExtension=".ttf" />
      <remove fileExtension=".svg" />
      <remove fileExtension=".eot" />
      <remove fileExtension=".json" />
      <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
      <mimeMap fileExtension=".woff2" mimeType="application/font-woff2" />
      <mimeMap fileExtension=".otf" mimeType="application/x-font-opentype" />
      <mimeMap fileExtension=".ttf" mimeType="application/octet-stream" />
      <mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
      <mimeMap fileExtension=".eot" mimeType="application/" />
      <mimeMap fileExtension=".json" mimeType="application/json" />
        <add extension=".gif" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
        <add extension=".png" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
        <add extension=".js" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
        <add extension=".css" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
        <add extension=".jpg" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
        <add extension=".jpeg" policy="DontCache" kernelCachePolicy="CacheUntilChange" duration="0.00:30:00" location="Any" />
May 22, 2020 6:56

Hi Peter

The configurations you posted applies to "real" static files, as in typical frontend bundles located in the website package.

Asset files from Episerver has a different behaviour. But you can easily change the behaviour of Episever assets file caching to be be either private, public or a hybrid (the default).

The feature is documented here, but the configuration entries are not added to web.config by default. So you will have to mix it into your web.config, like this:

    <section name="staticFile" type="EPiServer.Framework.Configuration.StaticFileSection, EPiServer.Framework.AspNet"/>
  <staticFile cacheControl="public" enableOutputCache="false" expirationTime="12:0:0" />
May 22, 2020 8:39

Thank you Stefan.

I actually already had the following in my config file - but it didn't include the cacheControl property.

<staticFile expirationTime="365:0:0" />

Would it make sense to limit it to certain locations?

  <location path="globalassets">
    <staticFile expirationTime="365.00:00:00" cacheControl="Public"/>
  <location path="siteassets">
    <staticFile expirationTime="365.00:00:00" cacheControl="Public"/>
May 22, 2020 8:52

Hi Peter

This setting applies globally to the asset handler, so it cannot be limited to specific paths.

May 22, 2020 8:54

Hi Stefan.

In they use locations?:

The below setting may also be needed if you want to leverage the globalasset's static files
        <location path="GlobalAssets">
                <staticFile expirationTime="7.00:00:00" cacheControl="Public"/>
May 22, 2020 9:01
Stefan Holm Olsen - May 22, 2020 9:07
Then it should work, as you write.
But the setting would already apply globally to globalassets, and siteassets. So, unless you have some specific needs, it should not be necessary to specify subfolders by using location elements.

Just an FYI: By making the cache control public you could end up with access rights protected assets in the CDN. I.e. after a user has requested a protected asset, then ALL users can access it. You basically have to purge the CDN to get rid of it. 

May 22, 2020 13:25
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.