On Sun, 2008-03-23 at 01:42 -0700, Ricardo Newbery wrote: > I guess another alternative to the 'public' token is to instead issue > a 'private' token with any cookie-authenticated response that should > not be cached. This just moves the default cache strategy for > authenticated responses to "cache everything, unless it's private" > instead of "do not cache anything, unless it's public". Hmm... this > may be a better approach in any case, since it plays better with other > shared-caches that might be encountered downstream of my server. Problem is that as soon as you enable caching of URLs gving split views shared caches will start caching them, and with the only thing differentiating a request for a public copy with a request for a private copy being the Cookie headers (of which there may be plenty, and often changing) you have to say "Vary: Cookie". But since each user will most likely carry his own set of cookies (and often a changing set) each request will be pretty much unique to the shared cache, almost eliminating any opportunity for a cache hit. Regards Henrik
