I found some time to look for existing discussions on this... (should have done that earlier)... It isn't valid to send Set-Cookie on a 304.
It is not valid to set a cookie in a 304 response. Please see section 10.3.5 of RFC2616. That is the reason Apache explictly lists headers that will be sent and why Set-Cookie isn't one of them."
I don't see how 10.3.5 says that Set-Cookie is invalid. It says that entity headers aren't allowed, but Set-Cookie isn't listed under the Entity Header section. (In fact, it isn't listed in the spec at all.)
I see that other people had the same thoughts in the first link.
