I have asked this question before and got no answer so i am adding more info.
I have built an online service that’s a bit heavy on js using spring 3 mvc and spring security for authentication / authorization. HTTPS is a requirement for any interaction so this is on for all requests. The server setup consists of a single Tomcat 7 app server (may add more in the future) behind an Apache2 server that acts as a reverse proxy with mod_proxy, mod_cache and mod_deflate. The cache headers are set for all cacheable resources (js,css,images) to:

Cache-Control:max-age=604800, must-revalidate, public

The above header has the desired outcome in both Firefox and IE browsers (at least versions 3+ and 8+ respectively that i have tested on) i.e. both browsers cache the .js and .css files accordingly unless the user refreshes the page so the browser will append to the request header a Cache-Control:max-age=0 and will get a 304 reply, or forces a refresh with Cache-Control:no-cache so it will refetch the resource.
On the other hand, Google Chrome behaves differently, although it caches the files it binds them to the specific session that is assigned to the user by appending the jsessionid to the key that is used for storing the files in cache. This results in the files being re-fetched from the server each time the user logs in/out or closes the browser (Spring security has a temporal sessionid and a different remember me one). The main css that is used for the login screen as well as the main site is even fetched twice when the user visits the login screen and when he is redirected to the main site after login (since now chrome ingores the file in cache which has no sessionid bound to it).