On Thu, Feb 4, 2010 at 2:05 PM, Tyler Close <[email protected]> wrote:
> On Wed, Feb 3, 2010 at 2:34 PM, Maciej Stachowiak <[email protected]> wrote: > > I don't think I've ever seen a Web server send "Vary: Cookie". I don't > know offhand if they consistently send enough cache control headers to > prevent caching across users. > > I've been doing a little poking around. Wikipedia sends "Vary: > Cookie". Wikipedia additionally uses "Cache-Control: private", as do > some other sites I checked. Other sites seem to be relying on > revalidation of cached entries by making them already expired. > Unfortunately, lots of sites don't get this right. Look back to 2005-ish when Google released the "Google web accelerator" -- basically a glorified HTTP proxy. It assumed that servers correctly implemented the standards, and got seriously burned for serving private pages meant for one user to other users. Naturally, web masters all blamed Google, and the product was withdrawn. (Note that I was not an employee at the time, much less on the team, so my version of the story should not be taken as authoritative.) On the other hand, refusing to cache anything for which the request contained a cookie seems like a pretty unfortunate limitation.
