id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23939	"SessionAuthenticationMiddleware causes ""Vary: Cookie"" header no matter what"	Andrew Badr	nobody	"Setting a ""Vary: Cookie"" header when unnecessary is bad for reasons described in e.g. #3586, #6552. It seems that the recently-introduced and on-by-default SessionAuthenticationMiddleware causes this header to always be set. This seems to be caused by the `hasattr(user, 'get_session_auth_hash')` call at https://github.com/django/django/blob/1.7.1/django/contrib/auth/middleware.py#L34.

To reproduce: start a new empty project with django-admin.py, request the index page, and see that the Vary: Cookie header is present. Commenting-out the middleware's line in settings.py causes the header to disappear.

It might be good to add a general test case verifying that the default page never sets a Vary: Cookie header."	Bug	new	contrib.auth	1.7	Normal		cookies		Unreviewed	0	0	0	0	0	0