24Haz
Does Cache-Control: no-cache="Set-Cookie, Set-Cookie2" actually prevent caching cookies?
This OWASP recommendation says:
it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID
But the mozilla docs say
The no-cache response directive indicates that the response can be stored in caches, but the response must be validated with the origin server before each reuse, even when the cache is disconnected from the origin server.
So no-cache can't actually prevent the caching of session cookies, can it?