It is my understanding that page level caching does not take into account that, for authenticated sites, different users may request the exact same page (URL) while the rendered page itself is different (because it contains stuff that is user specific).
Unless you activate cookieless authentication (then the sessionID becomes part of the URL) all users will see the same cached page (regardless of who they are).
Is this correct?
Yes, you are 100% correct on this one.
Typically I'll move to user controls, to be able to cache the user controls of the items that do not change from user to user.
You can then use Session, or another cache store if you must cache user specific data.
Depending on how much dynamic contnent you have on a page you could use the Substitution control to render dynamic content on a cached page.
This control is bound to a static method (remember that the page lifecycle hasn't run as this is cached version of the page and none of the objects created in Page_Load etc wiil be available) that returns dynamic content and can be positioned wherever you want on the page.
<asp:Substitution ID="mySubstitution" runat="server" MethodName="GetLoggeninUserName" />
The other option is "Donut Caching" as Scott Guthrie calls it:
Implement "Donut Caching" with the ASP.NET 2.0 Output Cache Substitution Feature
This allows you to have page level caching, while implementing certain elements in non-cached "holes".
Yes you're correct and the Substitution control noted by Andy (and Zhaph) is your best answer if you're using ASP.NET 2.0 or above. Creating separate user controls for the non-user-specific content is a less ideal approach that should only be used if you're stuck working with ASP.NET v1.x (so you should mark Andy's as the answer, I would think).