You can clone with
When cookies are sent back to the browser using a 'Set-Cookie' header, the cookie middleware should also set the 'Cache-Control' header to 'private', in most cases.
I'm only familiar with varnish, which by-design does not cache when cookies are present, looks like squid does similar
Indeed. Google Chrome's audit tools also notifiy you when you don't explicitly say "Cache-Control: private" on responses that also contain a "Set-Cookie" header. What do you think about making this change?
sounds fine to me
won't really work right now because sessions always create a new one when one does not exist
will no longer be relevant since the cookie parser is being removed in favor of https://github.com/jed/cookies. i'm -1 though since people are going to complain when they find out connect is messing with their cache.