On Feb 3, 2010, at 2:12 PM, Julian Reschke wrote: >> AFAICT, RFC 2616 only does a special case for the Authorization >> header, which leaves me wondering what shared caches do for other >> kinds of credentials, such as cookies or the NTLM authentication that > > Cookies require > > Vary: Cookie > > on the response. Or something more drastic. > >> Jonas referred to. For example, if an origin server responds to a >> request with cookies by sending a response with no Vary header and no >> Cache-Control: private or other disabling of caching, would the proxy >> use the response to respond to a later request without cookies? Do > > If it follows the applicable specs to the letter, yes (I believe). > >> proxies commonly implement a special case for the Cookie header, >> similar to the Authorization header? Do origin servers commonly have >> this bug? > > That would be interesting to find out. > > We know that "Vary" doesn't work well in practice because of all the > bugs^^^^shortcomings in IE.
I don't think I've ever seen a Web server send "Vary: Cookie". I don't know offhand if they consistently send enough cache control headers to prevent caching across users. Regards, Maciej