That would be the end goal - but since all users get cookies there's not obvious "I'm anonymous" vs "I'm a signed-in-user" differentiator I can use to control whether to cache or serve live.

It'll happen, shortly, but the fastest solution was to re-deploy on a scaling platform.

When a user is logged in, use a Vary: Cookie header, when a user is not logged in, leave that off. Set the expiration time as appropriate.

Which brings the next question... why not use Github for authentication?