I'm using a PHP script to serve images (stored outside of webroot) to visitors who have provided credentials allowing them access.
I'm sending the following headers: 'Content-Type', 'Last-Modified', 'Content-Length', 'Content-Disposition' (to set filename).
I incorporated code to check $_SERVER['HTTP_IF_MODIFIED_SINCE'] and if appropriate, send a 'HTTP/1.1 304 Not Modified' and quit. But in Firebug I notice that the response headers for the request include this:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
and the image does appear to be downloading anew every time I view the page. This is unnecessary; it makes sense for the images to be cached by the client. But I don't know what extra headers I should send to make this happen. What headers do I need to send?
Edit: These are the header commands I ended up putting in the script:
header('Cache-Control: private, max-age=0, must-revalidate');
header('Expires: Sat, 1 Jan 2000 12:00:00 GMT');
header('Pragma:');
You can send the Expires, Cache-Control and Pragma headers yourself:
Expires uses RFC 1123 date, format, eg: Expires: Thu, 03 Feb 2011 15:16:16 GMT
For Cache-Control you can do: Cache-Control: public, max-age: 3600. The max-age is in seconds.
As for Pragma, you can disable the web server's default response of no-cache with:
header('Pragma: ');
PS. Many webservers also include a way for you to tell the webserver handle serving the file.
In lighttpd you can use the x-sendfile header. In Apache you can use mod_xsendfile if you have it installed to do the same. In nginx you can use the X-Accel-Redirect header. Serving static files is really the webserver's job, and these are very handy features that you can take advantage of, while still hiding your files from public docroot area. For other webservers you can fallback to handling sending the headers for caching yourself.
Are you using sessions? Those tend to send no-cache headers to force a fresh page load each time, or some other section/module of your site is sending them.
You can try to force a cache-control header with something like:
header("Cache-control: max-age=3600, must-revalidate");
You can set Expires and Last-Modified as described in this post: How to cache images generated by PHP