How to know when to send a 304 Not Modified response

Question

I\'m writing a resource handling method where I control access to various files, and I\'d like to be able to make use of the browser\'s cache. My question is two-fold:

Answer 1

We are also handling cached, but secured, resources.  If you send / generate an ETAg header (which RFC 2616 section 13.3 recommends you SHOULD), then the client MUST use it in a conditional request (typically in an If-None-Match - HTTP_IF_NONE_MATCH - header).  If you send a Last-Modified header (again you SHOULD), then you should check the If-Modified-Since - HTTP_IF_MODIFIED_SINCE - header.  If you send both, then the client SHOULD send both, but it MUST send the ETag.  Also note that validtion is just defined as checking the conditional headers for strict equality against the ones you would send out.  Also, only a strong validator (such as an ETag) will be used for ranged requests (where only part of a resource is requested).

In practice, since the resources we are protecting are fairly static, and a one second lag time is acceptable, we are doing the following:

1.  Check to see if the user is authorized to access the requested resource

        If they are not, Redirect them or send a 4xx response as appropriate.  We will generate 404 responses to requests that look like hack attempts or blatant tries to perform a security end run.

2.  Compare the If-Modified-Since header to the Last-Modified header we would send (see below) for strict equality

        If they match, send a 304 Not Modified response and exit page processing

3.  Create a Last-Modified header using the modification time of the requested resource

       Look up the HTTP Date format in RFC 2616

4.  Send out the header and resource content along with an appropriate Content-Type

We decided to eschew the ETag header since it is overkill for our purposes.  I suppose we could also just use the date time stamp as an ETag.  If we move to a true ETag system, we would probably store computed hashes for the resources and use those as ETags.

If your resources are dynamically generated, from say database content, then ETags may be better for your needs, since they are just text to be populated as you see fit.