Last-Modified Headers Don't Respect Sessions

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create two users, a and b.
2. Create a location c that has content only a can see.
3. Login as a.
4. View c.
5. Log out and log back in as b.
6. Navigate to the URL of c.

What is the expected output? What do you see instead?

You should see the version of c that b's permissions allow it to see, but
instead you see the original a version. This is because we send "last
modified" headers so that browsers can cache details, but these headers do
not take session into account -- they ought to check the time at which the
current session began and send that time if it's newer than the real
last-modified time.

Original issue reported on code.google.com by charlequin@gmail.com on 24 May 2010 at 8:33

[GoogleCodeExporter]

I think the way to handle this is going to be by removing this feature 
altogether for indexes (and possibly other dynamic files) and instead to rely 
on just the etags. This won't provide much in the way of CPU savings, as the 
output will still have to be calculated, but it will still save bandwidth.

Original comment by tedivm@tedivm.com on 27 Jun 2010 at 7:54