Caching proxy with authenticated REST requests

Question

Consider following scenario:

• I have RESTful URL /articles that returns list of articles
• user provide his credentials using Authorization HTTP header on each request
• articles may vary from user to user based on his privileges

Its possible to use caching proxy, like Squid, for this scenario? Proxy will see only URL /articles so it may return list of articles only valid for first user that generates the cache. Other users requesting URL /articles can see articles they don't have access to, which is not desirable of course.

Should I roll my own cache or some caching proxy software can be configured to base its cache on Authorization HTTP header?

Answer 1

One possibility to try is using the Vary: Authorization response header to instruct downstream caches to be careful about caching by varying the cached documents based on the request's Authorization header.

You may already be using this header if you use response-compression. The user generally requests a resource with the header Accept-Encoding: gzip, deflate; if the server is configured to support compression, then the response might come with the headers Content-Encoding: gzip and Vary: Accept-Encoding already.