I asked this question before and did not receive an answer, so I am adding more information. I created an online service that is a bit heavy for js using spring 3 mvc and spring security for authentication / authorization. HTTPS is a requirement for any interaction, so it is included for all requests. Server setup consists of one Tomcat 7 application server (may be added even more in the future) behind the Apache2 server, which acts as a reverse proxy with mod_proxy, mod_cache and mod_deflate. Cache headers are set for all cached resources (js, css, images):
Cache-Control:max-age=604800, must-revalidate, public
This header has the desired result in Firefox and IE browsers (at least versions 3+ and 8+ that I tested), i.e. both browsers cache .js and .css files, respectively, if the user does not refresh the page, so the browser will add the Cache-Control:max-age=0 request header and get a 304 response or start the update using Cache-Control:no-cache so that it restores resource. On the other hand, Google Chrome behaves differently, although it caches files that it binds to a specific session assigned to the user, adding jsessionid to the key that is used to store files in the cache. This leads to the fact that the files are re-selected from the server each time the user logs in / out or closes the browser (Spring has a temporary session and the other remembers me). The main css, which is used for the login screen, as well as the main site, is even selected twice when the user visits the login screen and when he is redirected to the main site after logging in (since now chrome uses a file in the cache that does not have sessionid associated with it).
source share