[Catalyst] Re: Production session issue - commercial support inquiry?

[Aristotle Pagaltzis]

* Tomas Doran <bobtfish at bobtfish.net> [2009-01-27 00:00]:
> If you're app isn't sending appropriate cache headers, then
> you're stuffed whatever you're using

Good thinking. And to be more explicit, whenever the same URI can
end up showing different contents, you want to set a `Vary`
header that tells any caches which request header(s) you are
using to decide which response to send.

Note that from both an HTTP and a web architecture point of view
it is still better to make sure that every resource has a
separate URI of its own. Ie. don’t put the shopping cart under
`/cart` and then use the auth info to decide whose user’s cart to
actually show.

Instead, make it something like `/user/711/cart/7` (or something
else that involves an identifier for the cart – the actual
structure depends on a number of considerations) and merely use
the auth info to check whether the logged-in user is allowed to
look at that cart. That way, cache poisoning problems like this
one won’t even possibly happen.

Plus, having separate URIs for separate “bags of data” gives you
the basis for all sorts of useful features, like letting people
make their carts public and sending someone else the link, or
stuff like that. URIs are cheap, there is no reason to be stingy.
Engineer for serendipity.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>