通过HTTP/1.1 RFC部分14.8(http://tools.ietf.org/html/rfc2616#section-14.8):
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using
it.
2. If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server, using the
request-headers from the new request to allow the origin server
to authenticate the new request.
3. If the response includes the "public" cache-control directive,
it MAY be returned in reply to any subsequent request.
是,Vary标头应该做的伎俩。谢谢。 – Peter 2009-11-18 12:25:31
太棒了!无耻的请求,然后呢? – yfeldblum 2009-11-18 13:44:40
如果您使用HTTPS,这甚至是一个问题吗? (如果您使用的是基本身份验证或授权标头,则应使用该标识) – wal 2012-08-02 04:01:57