On Thu, Feb 4, 2010 at 11:05 PM, Tyler Close <[email protected]> wrote: > On Wed, Feb 3, 2010 at 2:34 PM, Maciej Stachowiak <[email protected]> wrote: >> I don't think I've ever seen a Web server send "Vary: Cookie". I don't know >> offhand if they consistently send enough cache control headers to prevent >> caching across users. > > I've been doing a little poking around. Wikipedia sends "Vary: > Cookie". Wikipedia additionally uses "Cache-Control: private", as do > some other sites I checked. Other sites seem to be relying on > revalidation of cached entries by making them already expired.
FWIW, Django also sends "Vary: Cookie" when using sessions (which includes "form authentication" AFAICT): http://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/middleware.py -- Thomas Broyer /tɔ.ma.bʁwa.je/
