[3457] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Kristian Elof Soerensen)
Tue Nov 5 09:54:26 1996
Date: Tue, 5 Nov 1996 11:54:50 +0100 (GMT+0100)
From: Kristian Elof Soerensen <kris10an@internet.dk>
To: Saeid Parivash <PARIVASH@cc1.unt.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <5ACAB120976@cc1.unt.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
>
> Their is a security problem with the above CGI application. What if
> the user is in the lab, and does not close his navigator. Some one
> can come along and click on the "back button" on their browser, and
> find out the user ID and PIN #.
>
You can tell the browser not to cache the document by using the HTTP
header:
Pragma: no-cache
Ther's more possibilities than this, look in chapters 4.5, 14.9 and
14.32 in the IETF-HTTP-draft for details.
***********
Kristian Elof Soerensen http://www.gbar.dtu.dk/~c948632
kris10an@internet.dk 45 93 92 02 2:236/447.19
