I found some time to look for existing discussions on this... (should have done that earlier)... It isn't valid to send Set-Cookie on a 304.
It is not valid to set a cookie in a 304 response. Please see section 10.3.5 of RFC2616. That is the reason Apache explictly lists headers that will be sent and why Set-Cookie isn't one of them."
I don't see how 10.3.5 says that Set-Cookie is invalid. It says that entity headers aren't allowed, but Set-Cookie isn't listed under the Entity Header section. (In fact, it isn't listed in the spec at all.)
For an interpretation of that section w.r.t. Set-Cookie by one of the authors of RFC 2616, refer to
http://hypermail.linklord.com/new-httpd.old/2001/Jun/0508.html
