Only add the Vary: Cookie header when the request actually varies on the cookie

[anonymous]

Currently the session middleware adds a Vary: Cookie header to every request on the site unconditionally. This is what it should be doing when a view uses session data to process the request. But not every view in an application will make use of the session state just because some do.

Setting a Vary: Cookie header when the content does not actually depend on the cookie prevents downstream caching which could otherwise take place. It also forces browsers to revalidate content even when that content has cache control set to public and an expires header.

The fix for this is very simple. The session middleware already keeps track of whether the session has been modified so it only has to save on those requests. We just need to add a second flag to track whether the session has been accessed and then only set the Vary header when this flag is set. The attached patch against trunk makes this change.

A site I'm currently working on has a significant amount of infrequently changing XML and flash content which is served by Django as well as some normal views which make use of the session middleware. Changing the session middleware to not change the vary header unnecessarily results in a significant speedup since a large number of objects become cachable.

[Owen Griffiths]

Oops, forgot to add my name and email address.

[Malcolm Tredinnick]

(In [4680]) Fixed #3586 -- Only output "Vary: Cookie" HTTP header when the session object
is accessed. Leads to better caching performance. Thanks, Owen Griffiths.