#27686: calls to request.user.is_authenticated returns vary by cookie header for all users -----------------------------------------+------------------------ Reporter: Jeff Willette | Owner: nobody Type: Uncategorized | Status: new Component: Uncategorized | Version: 1.10 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | -----------------------------------------+------------------------ If request.user.is_authenticated() is called in a view, a `Vary: "Cookie"` Http header is returned, even if the user is an anonymous user. The anonymous user has no `sessionid` and no other cookies set. This means that any other inconsequential cookies that are in the request (such as google analytics) will cause downstream caches to cache separate pages for each user.
I think that is the user is not_authenticated, then there should be no `Vary` header sent back from django. You can recreate this problem by creating a new django project and creating a view that returns an HttpResponse after calling to is_authenticated with an anonymous user, and also calling another view that does not call to is_authenticated and comparing the HttpHeaders. I have done so here: https://github.com/deltaskelta/django-is-authenticated- vary-headers.git -- Ticket URL: <https://code.djangoproject.com/ticket/27686> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/054.5527d2cc98c149b67b2c83dcc85e9b98%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.