Vary the cache on session, Token and LoggedOut cookies, but not UserID cookie. The session and Token cookies are necessary because they can represent credentials. The UserID cookie is sometimes present after the credential cookies are expired and thus the request is anonymous. Need to vary on the LoggedOut cookie to prevent Squid from returning a 304 response for a logged-in page view cached on the client. Presumably this could be better dealt with with ETags.
Always send Cache-Control: private when there is a cache-varying cookie present, to prevent pollution of the logged-in user cache with logged-out page views. This missing logic is why people have been reporting getting logged out.