tis 2010-06-22 klockan 19:18 +0200 skrev Daniel Gomez: > Good afternoon everyone, > > I´m using Squid in front of Zope/Plone. Since my main pages > (Homepage,...) are quite static I would want to cach them for Anoymous > users, but not for logged users. I am using the policies: > > - Anonymous: Cache in proxy for 24 hours (tested with ETag header and without) > - Logged user: Cache in the browser with ETag You also need Vary in that mix, telling caches on what information your web server decided if the request is anonymous or logged in. Generally speaking cookie authentication works very very bad with caches. This because the response then varies on the Cookie header and if your anonymous visitors have any session like cookies (i.e. goodle adsense trackers, old session cookies etc) except when logged in then things go very bad as pretty much every user is then unique to the cache even if your server faithfully responds with nice ETags. This because Squid do not know which ETag matches which cookie header combination before asking your server. A better design is to use https:// for authenticated access and http:// for anonymous access. In addition to solving the problem it also increases security of the authenticated users login credentials. Then in addition I would strongly recommend using HTTP DIgest authentication instead of form based cookie authentication for authenticated access. If properly implemented then our authenticated users passwords is reasonably secure even if your site gets hacked. Regards Henrik
