[2919] in WWW Security List Archive
Re: page security
daemon@ATHENA.MIT.EDU (Antonio Vasconcelos)
Wed Sep 11 08:04:18 1996
In-Reply-To: <32355329.F3@ponton.uni-hannover.de>
To: Kate Baumann <kate@ponton.uni-hannover.de>,
Thomas "L." Hobika <hobika@kodak.com>
Reply-To: vasco@bvl.pt
Cc: www-security@ns2.rutgers.edu
From: Antonio Vasconcelos <vasco@bvl.pt>
Date: Wed, 11 Sep 96 08:56:39 +0100 (WET)
Errors-To: owner-www-security@ns2.rutgers.edu
In reply to Kate Baumann about Re: page security
> Thomas L. Hobika wrote:
> >
> > Hello,
> >
> > I recently posted regarding page security. I had asked if
there was a
> > way to force a user to authenticate before getting access to a
page or
> > server. I have been able to implement this via password
protection and
> > www_acl lists, however, I am having problems with preventing
the
> > authenticated pages from being cached. This caching of the
pages is
> > causing concern .. I have been told of a "Pragma: no-cache"
and recently
> > read something to the affect that including an "Expire" tag
dated with
> > an earlier date to force the page to be refreshed or not be
cached. Is
> > this true ? If so, how do you implement the above tags ? I
would be
> > interested in seeing some examples if someone could please
provide them.
>
> I'm pretty sure that you have a serious problem here. Your
first
> mail on this issue states that it's a security problem to your
> company even if pages are cached to local maschines, right?
>
> Hum, acutally I can't think of any way to prevent caching
> from "normal" HTML-pages. That's because the caching process is
> a main feature of HTML-distribution. Caching saves bandwith and
> makes connections faster, just think of the new caching
mechanisms
> like Harvest.
>
> Ok, that's really not your problem. You'll have to find a way
around
> it. Call this hacking if you like. ;-)
>
> So what about non-cacheable-pages? Hold all your information in
a
> database and generate the pages individually for every user.
Just
> on the fly.
That could be 'cachable' too...
The folowing document should not be cached by anyone, browser or
proxy-server.
<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<TITLE> ....... </TITLE>
</HEAD>
<BODY>
....
</BODY>
</HTML>
--
Antonio Vasconcelos
[ D.S.I. N.S.C.M. ]
