Recently we have found a serious issue one of our project with browser caching. Here is the actual scenario
1. From website, Login as a member
2. Browse same page multiple times, Suddenly browser will show you are not logged in
3. If you press CRTL+F5, you will find yourself as a logged in user
After doing some investigation we have found that, browser serve the page from cache without communicate with the server. This is happening as we have enabled $conf['omit_vary_cookie'] = TRUE; into settings.php of Drupal. Actually it was recommended by varnish a year ago when we have enabled varnish for this site. Recently varnish update their configuration page and remove the recommendation of $conf['omit_vary_cookie'] = TRUE;
So we did some research what omit_vary_cookie doing. We found that,
"By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page views. This tells a HTTP proxy that it may return a page from its local cache without contacting the web server, if the user sends the same Cookie header as the user who originally requested the cached page. Without "Vary: Cookie", authenticated users would also be served the anonymous page from the cache. If the site has mostly anonymous users except a few known editors/administrators, the Vary header can be omitted. This allows for better caching in HTTP proxies (including reverse proxies), i.e. even if clients send different cookies, they still get content served from the cache. However, authenticated users should access the site directly (i.e. not use an HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid getting cached pages from the proxy."
So we have commented $conf['omit_vary_cookie'] = TRUE; from setting.php file and this is resolved the issue for us.