The fix for EZP-25204 causes a regression, in that symfony user-hash response headers do not vary by cookie, which causes them to be cached.

The result is that after a user with rights visits an otherwise unaccessible content, logging out and visiting the same content with anonymous user will be possible

• Enable symfony http cache or varnish reverse-proxy
• define a new section and add a document to this section (e.g. /test).
• anonymous user have rights for read doc in section standard only
• define a user "b" with read rights to the new section
• login with user "b" and visit /test
• logout
• visit the page again with anonymous and it will be accessible