Use NoVary Session middleware.

apps/mozorg/middleware.py

@@ -1,7 +1,11 @@
-from email.utils import formatdate
 import datetime
+from email.utils import formatdate
 from time import mktime
 
+from django.conf import settings
+from django.contrib.sessions.middleware import SessionMiddleware
+
+
 class CacheMiddleware(object):
 
     def process_response(self, request, response):
@@ -15,3 +19,27 @@ class CacheMiddleware(object):
             response['Cache-Control'] = 'max-age=600'
             response['Expires'] = formatdate(timeval=stamp, localtime=False, usegmt=True)
         return response
+
+
+class NoVarySessionMiddleware(SessionMiddleware):
+    """
+    SessionMiddleware sets Vary: Cookie anytime request.session is accessed.
+    request.session is accessed indirectly anytime request.user is touched.
+    We always touch request.user to see if the user is authenticated, so every
+    request would be sending vary, so we'd get no caching.
+    """
+
+    def process_response(self, request, response):
+        if getattr(settings, 'READ_ONLY', False):
+            return response
+        # Let SessionMiddleware do its processing but prevent it from changing
+        # the Vary header.
+        vary = response.get('Vary', None)
+        new_response = (super(NoVarySessionMiddleware, self)
+                        .process_response(request, response))
+        if vary:
+            new_response['Vary'] = vary
+        else:
+            del new_response['Vary']
+        return new_response
+

settings/base.py

@@ -235,7 +235,7 @@ MIDDLEWARE_CLASSES = (
     'funfactory.middleware.LocaleURLMiddleware',
     'multidb.middleware.PinningRouterMiddleware',
     'django.middleware.common.CommonMiddleware',
-    'django.contrib.sessions.middleware.SessionMiddleware',
+    'mozorg.middleware.NoVarySessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'session_csrf.CsrfMiddleware',  # Must be after auth middleware.
     'django.contrib.messages.middleware.MessageMiddleware',