I am writing a web application framework. To properly support reverse proxy servers, I want to make sure that whenever the web application is accessing cookie data, pages that are sent to the user are cached only for that user. As far as I know, there are two ways of achieving this:
header('Vary: Cookie');
or
header('Cache-Control: private');
The immediate benefit of using Vary: Cookie is that a reverse proxy server will cache non-authenticated requests. However, we're using Google Analytics which create cookies through javascript - so I am afraid the Vary: Cookie method is unusable?
Cookies set by a script served by a given domain will only be sent to that domain.
The proxy will not receive the cookies set by google analytics.