diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml
index cd9ed5e759..dca16ab3ee 100644
--- a/.github/workflows/R-CMD-check.yaml
+++ b/.github/workflows/R-CMD-check.yaml
@@ -21,3 +21,5 @@ jobs:
       node-version: "14.x"
   R-CMD-check:
     uses: rstudio/shiny-workflows/.github/workflows/R-CMD-check.yaml@v1
+    with:
+      cache-version: "2.1"
diff --git a/R/shiny.R b/R/shiny.R
index ef9f255c77..92cecd19bd 100644
--- a/R/shiny.R
+++ b/R/shiny.R
@@ -1876,6 +1876,26 @@ ShinySession <- R6Class(
     # Provides a mechanism for handling direct HTTP requests that are posted
     # to the session (rather than going through the websocket)
     handleRequest = function(req) {
+      if (!is.null(self$user)) {
+        if (is.null(req$HTTP_SHINY_SERVER_CREDENTIALS)) {
+          # Session owner is logged in, but this requester is not
+          return(NULL)
+        }
+
+        requestUser <- NULL
+        try(
+          {
+            creds <- safeFromJSON(req$HTTP_SHINY_SERVER_CREDENTIALS)
+            requestUser <- creds$user
+          },
+          silent = TRUE
+        )
+        if (!identical(self$user, requestUser)) {
+          # This requester is not the same user as session owner
+          return(NULL)
+        }
+      }
+
       # TODO: Turn off caching for the response
       subpath <- req$PATH_INFO