I found some strange behaviour in the OutputCacheHandler when using an alternative identity provider such as aspnet Identity or Auth0, i.e not Forms or Windows.
When the output cache is active and a user is authenticated i.e logged in, browsing to a public page (anonymous can view) will cause a cookie "KeepLoggedOnUser" to be set with the value "True".
When logging out and browsing to a public page the server will throw an access denied error, eventhough the page is public.
This is not so much of a problem when only editors use authentication, but for third party users, such as website members, this will disable them to view public content until logging in or clearing the "KeepLoggedOnUser" cookie.
I believe this a part of the logic to keep a Windows user logged in even as the session expires.
As the cookie is set by the KeepUserLoggedOn() method in OutputCacheHandler by the assumption that if authentication mode is not Forms, then it's Windows this seems like a bug to me...
A workaround for this seems to be to set the attribute uiKeepUserLoggedOn=“false” on applicationSettings in web.config.