> It's good to know know I'm not "so" wrong, but it would be nice to not > be wrong at all!
Didn't mean to diminish: your intuition was completely right in that the Set-Cookie: header is indeed *always* present in client memory for at least a moment in time. But not only are the response headers not available from script for the main HTTP-requested page, only for XMLHTTPRequest-ed content; a client is also free to implement its "Disable cookies" setting to mean that the header will be completely discarded -- even when the response comes in over XHR and the cookie is standard (non-HTTPOnly). So, in practice, unless you know how all your potential clients behave, when a user has disabled cookies, that in practice means you don't always have access to the raw response data, either. -- Sandy
