On Thu, Feb 4, 2010 at 2:05 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, Feb 3, 2010 at 2:34 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> > I don't think I've ever seen a Web server send "Vary: Cookie". I don't
> know offhand if they consistently send enough cache control headers to
> prevent caching across users.
>
> I've been doing a little poking around. Wikipedia sends "Vary:
> Cookie". Wikipedia additionally uses "Cache-Control: private", as do
> some other sites I checked. Other sites seem to be relying on
> revalidation of cached entries by making them already expired.
>
Unfortunately, lots of sites don't get this right. Look back to 2005-ish
when Google released the "Google web accelerator" -- basically a glorified
HTTP proxy. It assumed that servers correctly implemented the standards,
and got seriously burned for serving private pages meant for one user to
other users. Naturally, web masters all blamed Google, and the product was
withdrawn. (Note that I was not an employee at the time, much less on the
team, so my version of the story should not be taken as authoritative.)
On the other hand, refusing to cache anything for which the request
contained a cookie seems like a pretty unfortunate limitation.