[whatwg] Solving the login/logout problem in HTML

Martin Atkins mart at degeneration.co.uk
Wed Nov 26 14:40:33 PST 2008

Julian Reschke wrote:
> You can already handle the case of content that's available 
> unauthenticated, but would potentially differ in case of being 
> authenticated by adding
>   Vary: Authorization
> to a response.

According to section 14.8 of the HTTP 1.1 specification, the presence of 
the Authorization header field implies that the response varies by 

     When a shared cache (see section 13.7) receives a request
     containing an Authorization field, it MUST NOT return the
     corresponding response as a reply to any other request, unless one
     of the following specific exceptions holds:

     [some exceptions in the presence of cache-control directives]

My understanding of this is that "Vary: Authorization" is effectively 
implied for all HTTP responses.

More information about the whatwg mailing list