> I don't think you need to reset it, just sending the vary header
> should be enough?
I was able to try this, and it works fine!
Adding the following line:
fprintf(g.httpOut, "Vary: Cookie\r\n");
right after printing the ETag header in src/cgi.c (and also after printing
the Last-Modified header, if not already printed after the ETag header)
results in correct web page expiration after login and logout.
Using "user.cexpire" to calculate the ETag may give more fine-grained
control, as for example a /uv page would not need a refresh if an unrelated
cookie (for example, to set /timeline display options) were changed, but
overall, the "Vary: Cookie" method may work well enough.
Also, with "Vary: Cookie", there may be issues with caching proxies,
depending on whether they receive and evaluate all the cookies, but this
may not be a problem for Fossil.
For clients that do not understand or support "Vary: Cookie", I would still
suggest to perform the Last-Modified checks only if no ETag was included
with the request (so that ETag misses can not be outdone by Last-Modified
fossil-users mailing list