HTTP Vary: Cookie vs Cache-Control: private

Question

I am writing a web application framework. To properly support reverse proxy servers, I want to make sure that whenever the web application is accessing cookie data, pages that are sent to the user are cached only for that user. As far as I know, there are two ways of achieving this:

header('Vary: Cookie');

or

header('Cache-Control: private');

The immediate benefit of using Vary: Cookie is that a reverse proxy server will cache non-authenticated requests. However, we're using Google Analytics which create cookies through javascript - so I am afraid the Vary: Cookie method is unusable?

Answer 1

Cookies set by a script served by a given domain will only be sent to that domain.

The proxy will not receive the cookies set by google analytics.

Answer 2

For your case (using Google Analytics), this will not work as GA sets first-party cookies for ".yourdomain.tld"

As of now, I'm seeing the following first party cookies set by Google Analytics:

_gat_gtag_UA_#####_# 
_ga 
_gid