> I don't think you need to reset it, just sending the vary header
> should be enough?

I was able to try this, and it works fine!

Adding the following line:

   fprintf(g.httpOut, "Vary: Cookie\r\n");

right after printing the ETag header in src/cgi.c (and also after printing
the Last-Modified header, if not already printed after the ETag header)
results in correct web page expiration after login and logout.

Using "user.cexpire" to calculate the ETag may give more fine-grained
control, as for example a /uv page would not need a refresh if an unrelated
cookie (for example, to set /timeline display options) were changed, but
overall, the "Vary: Cookie" method may work well enough.

Also, with "Vary: Cookie", there may be issues with caching proxies,
depending on whether they receive and evaluate all the cookies, but this
may not be a problem for Fossil.

For clients that do not understand or support "Vary: Cookie", I would still
suggest to perform the Last-Modified checks only if no ETag was included
with the request (so that ETag misses can not be outdone by Last-Modified

fossil-users mailing list

Reply via email to