I am writing a web application framework. To properly support reverse proxy servers, I want to make sure that whenever the web application is accessing cookie data, pages that are sent to the user are cached only for that user. As far as I know, there are two ways of achieving this:
header('Vary: Cookie');
or
header('Cache-Control: private');
The immediate benefit of using Vary: Cookie is that a reverse proxy server will cache non-authenticated requests. However, we're using Google Analytics which create cookies through javascript - so I am afraid the Vary: Cookie method is unusable?
Cookies set by a script served by a given domain will only be sent to that domain.
The proxy will not receive the cookies set by google analytics.
Google Analytics does however set cookies on the domain itself (first party cookie), not on googles domain. This is the principle of how it works.