UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Enter a URL in the location bar for a file protected by an login - Chrome sends HTTP GET.

2. Server respond HTTP 302 with Location set to login page

3. User logs completes login step and server re-directs back to original URL in step 1.

4. Chrome sends another HTTP GET, this time server responds HTTP 200, with response header "Cache-Control: max-age=864000, must-revalidate" and the file contents.

5. User logs out of application.

6. User puts the same URL from step 1 into the location bar and hits <ENTER>.  Cached contents are served directly to the user without revalidating the server.

However hitting "Refresh" properly checks the server, which then initiates the login process again.

What is the expected behavior?
In step 6,  i would expect, since the file is cached with "must-revalidate", that chrome would ask the server if the file had been modified before showing the cached content to the user.

What went wrong?
cached content with "must-revalidate" is shown to the user without first revalidating with the server.  This only happens when the user types/pastes the url into the location bar and hits enter.

Is this correct?

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.9.5
Flash Version: Shockwave Flash 22.0 r0