Created attachment 29990 [details] Patch Currently, when using sessions the Cache-Control flag gets set to no-cache automatically. This needs to be configurable since page caching is still needed when using sessions in some scenarios.
Option in config: SessionDBCache On
Switching caching off completely is broken, as it signals to shared caches that they may cache the session ID. Other valid options though are "private" where the browser can cache the page but not shared caches, and "private=<header>" and "no-cache=<header>". Maybe this should specify the Cache-Control header explicitly, instead of "on" or "off".