"Cache-Control: must-revalidate" means shared cache
|Reported by:||Owned by:|
Trac sends a "Cache-Control: must-revalidate" header for its content. This is wrong, because it doesn't say that the response in some cases must be different for anonymous (error page) and authenticated (real content) users. Some ISPs here still force Squid 2.5-STABLE10 on the users as a transparent proxy, and it does cache error pages.
Thus, if an anonymous user behind such a proxy receives a "You are currently not logged in. You may want to do so now." message and clicks the "do so" link, it again receives the cached error message instead of the desired page after logging in. Shift+Reload solves this.
The correct header that indicates that the content is indeed different for different users is "Cache-Control: private". It does solve the squid problem. Please use it instead of "Cache-Control: must-revalidate".
P.S. Suggestion to do so via web server configuration is invalid, as lighttpd can only add, not replace, headers.