[1889] in WWW Security List Archive
Re: how do I keep a browser from caching files
daemon@ATHENA.MIT.EDU (Jeremey Barrett)
Wed Apr 24 03:39:06 1996
Date: Tue, 23 Apr 1996 22:28:08 -0700 (PDT)
From: Jeremey Barrett <jeremey@forequest.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <317D1515.6E99@cup.hp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 23 Apr 1996, Gene Ingram wrote:
> > This is my first time posting to this list. Hope that I am following
> > procedure.
> >
> > My department is trying to run a program that will allow users to
> > access sensitive data. We have the security/password part down, but
> > most of the accesses will come fromunsecure lab room machines. DOes
> > anyone know of a way, an HTML tag, a meta tag, or something that will
> > instruct our university's Netscape 2.0 or better browsers not to cache
> > the resulting files, so that if a user walks away from a machine
> > someone else cannot come along and use the "back" button to view their
> > information?
> >
> > Thank you in advance,
> > D'aryl Hawes
> > hawes@scus1.ctstateu.edu
>
> If a secure file requiring HTML password access is cleared
> from cache, then hitting BACK button is the same as hitting
> site for first time *usually*, correct?
Yes, except that if you enter a username and password into an authentication
dialog, those are cached as well. There may be a way to disable that, but
I don't know of one. If there is no way to disable that, then reloading
the page each time accomplishes nothing, because the username and
password will still be cached, so authentication will succeed automagically.
>
> Anyway to answer your question, I'd say if the answer to
> above is ``yes'' then the solution proposed by list member
> willday@rom.oit.gatech.edu (Will Day) which causes server to
> send ``Pragma: no-cache'' *does work* for your expressed
> purpose when he wrote,
>
> > <HEAD>
> > <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
> > </HEAD
>
> I implemented Mr. Day's solution in a web page yesterday,
> but couldn't tell if it was working because I'm on a T-1
> (or is it T3) connection and it loads too fast to see if it's
> caching or not. When I went home last night and loaded it on
> my 486-DX2/66 system at 14.4, it was (almost painfully)
> apparent that the site was *not* cached in memory (since
> every time I hit a link even within the same HTML file, or
> hit BACK to revisit a link, it rehit entire HTML page).
I did this too, also adding basic authentication as a requirement.
The page was reloaded completely each time I hit "back", but the username
and password was cached (I only had to enter it the first time), so
each time the reload went right through, no questions asked. There may
be a solution to this, but I don't know it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Jeremey Barrett
Senior Software Engineer jeremey@forequest.com
The ForeQuest Company http://www.forequest.com/
"less is more."
-- Mies van de Rohe.
Ken Thompson has an automobile which he helped design. Unlike most
automobiles, it has neither speedometer, nor gas gage, nor any of the
numerous idiot lights which plague the modern driver. Rather, if the
driver makes any mistake, a giant "?" lights up in the center of the
dashboard. "The experienced driver", he says, "will usually know
what's wrong."
-- 'fortune` output
