Multiple "max-age" cache control headers in response

Question

If a web response contains a cache control header like:

Cache-Control:public, no-cache="Set-Cookie", max-age=1800,max-age=3600

Which max-age will be used by the browser?

If it matters, my code is .NET/IIS. 1800 is being set in the code for a specific http handler, and 3600 is being set in IIS for all requests.

Answer 1

Per RFC 7234, section 4.2.1, this header is not valid, as the max-age directive appears more than once:

When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale.

Clients are not required to reject it, but the specification encourages it.

Which max-age will be used by the browser?

According to the spec: none of them. Some browsers diverge from this behaviour, but this is browser-specific behaviour.

(The cache-tests.fyi HTTP Caching Tests capture results for this case, which suggest that Chrome and Safari use the first value, whereas Firefox uses the second.)

Answer 2

What I am understanding (which may not be correct) from the chromium implementation, if it is not failing somewhere before the step of parsing of max-age due to multiple max-age definitions, "the last one parsed successfully" will be effective. Logically I'm not expecting any browser implementation to compare the values and select the least/most value since the directive itself seems illogical.

Answer 3

Not sure if that is even valid. I would say that different browsers might behave differently in that case, so you pretty much would need to test and find out.

It might be a good idea for your handler to simply override the default max-age value instead of adding another one.