I am reading a book about MVC2, and in the OutputCache section it states:

Warning In the earlier section “How Authorization Filters Interact with Output Caching,” I explained that [Authorize] has special behavior to ensure that unauthorized visitors can’t obtain sensitive information just because it’s already cached. However, unless you specifically prevent it, it’s still possible that cached output could be delivered to a different authorized user than the one for whom it was originally generated. One way to prevent that would be to implement your access control for a particular content item as an authorization filter (derived from AuthorizeAttribute) instead of simply enforcing authorization logic inline in an action method, because AuthorizeAttribute knows how to avoid being bypassed by output caching. Test carefully to ensure that authorization and output caching are interacting in the way you expect.

Is this still true in MVC3?

If affirmative, what is the way to prevent that of happening? (because the explanation in the book is too vague).

Regards.

I think it is.

When you are using OutPutCache to cache data, these data are cached globally. As long as a user is authorized, the user will get cached data.

Yes we have "VaryByParam" options for outputcache, but it also creates a new cache for every different parameter passed. which means it's still globally.

So if you want to cache different data based on users, outputcache may not be the right way doing it. If data is user specific, session is the right choice. it's what session lives for