[1298] in WWW Security List Archive
Re: caching protected documents
daemon@ATHENA.MIT.EDU (Holger Reif)
Thu Dec 21 07:07:24 1995
Date: Thu, 21 Dec 95 10:33:55 +0100
From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
To: www-security@ns1.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brain21 <brain21@montag33.residence.gatech.edu>:
:On Wed, 20 Dec 1995, Jeff Weinstein wrote:
:> that the "authentication key"(password) was somehow being saved by
:> netscape. In fact it was not, and what he was seeing was the result of
:> a minor bug in the caching code, displaying a page that should have
:> been thrown out of the cache. If the server was ever contacted again,
:> a real username and password would have to be typed to access protected
:> pages.
:>
[ lengthy description of what he saw ]
:What does this mean?? This is NOT necessarily a cacheing problem!!!
Please read some material about "BAsic Authentication Scheme". I think
there is a page under
http://www.w3.org/hypertext/WWW/AccessAuthorization/Basic.html
(no garantie) and pages around.
You will find, that a browser assumes that in one directory all documents
are protected by the same server and same scheme and therefore he sends
the uid and passwd with the request (and succeeds in your case).
The other "problem" is the back button. In neither case contacts the browser
again but shows you, what it has. This is not caching!!! In 100 years, when
all cache have expired - the already visited pages are still there...
What should you do?
If you leave your "physical insecure" computer lock the screen. Or go back to
your Homepage and open http://www.foo.bar.com/ (or load your favourite
playmate). All of your history will be destroyed...
Or even better: simply exit from netscape...
:Now where's our T-Shirts?
You won't get a T-Shirt for this since it isn't a bug (you can call it a
documented feature) and not specific for netscape. Try the same with xmosaic.
(What, there are browsers beside netscape ;-)
read you later - Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/
