On Mon, 2008-03-24 at 11:44 -0700, Ric wrote: > Yes, I realize this. Unless we authenticate using one of the > Authenticated header methods, it seems that we have to be careful not > to try caching "split views" in standard proxies. Even then you have the same problem. A public response is a cache hit even if the request carries authentication. > Cookie- > authenticated responses should only be cacheable in public shared > caches if they contain no personalization. Which is quite doable if such requests do not have any personal cookie at all (not even a tracker one), but fails if there is any kind of session/tracker cookie making each user unique. If there is no user/session/tracking specific cookie on public requests then send Vary: Cookie and additionally on personalized content Cache-Control: private "Vary: Cookie" says that this response varies with the content of the Cookie header. That is every little bit of it, not just some cookie or the servers state depending on a specific cookie, any change in cookie contents means a unique request.. "Cache-Control: private" says that this response is private and intended for a single user only. Regards Henrik