Tyler Close wrote:
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <[email protected]> wrote:
Another thing that might be worth noting is that if the UA contains a
HTTP cache (which most popular UAs do), the UA must never use a cached
response that was the result of a request that was made with
credentials, when making a request without. The same goes the other
way around.
I gather this is because sites do not reliably use the Vary header?
"When a shared cache (see Section 13.7) receives a request containing an
Authorization field, it MUST NOT return the corresponding response as a
reply to any other request, unless one of the following specific
exceptions holds:..."
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.8>
...
BR, Julian
