[3470] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Luke Smith)
Wed Nov 6 10:56:38 1996
From: toast@cyberstreet.com (Luke Smith)
To: "Kristian Elof Soerensen" <kris10an@internet.dk>,
"Saeid Parivash" <PARIVASH@cc1.unt.edu>
Cc: <www-security@ns2.rutgers.edu>
Date: Wed, 6 Nov 1996 06:24:42 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
HTTP://WWW.BOMBNET.COM/CHAPTER9/
----------
> From: Kristian Elof Soerensen <kris10an@internet.dk>
> To: Saeid Parivash <PARIVASH@cc1.unt.edu>
> Cc: www-security@ns2.rutgers.edu
> Subject: Re: CGI Security
> Date: Tuesday, November 05, 1996 5:54 AM
>
>
> >
> > Their is a security problem with the above CGI application. What if
> > the user is in the lab, and does not close his navigator. Some one
> > can come along and click on the "back button" on their browser, and
> > find out the user ID and PIN #.
> >
>
> You can tell the browser not to cache the document by using the HTTP
> header:
>
> Pragma: no-cache
>
> Ther's more possibilities than this, look in chapters 4.5, 14.9 and
> 14.32 in the IETF-HTTP-draft for details.
>
>
>
> ***********
> Kristian Elof Soerensen http://www.gbar.dtu.dk/~c948632
> kris10an@internet.dk 45 93 92 02 2:236/447.19
>
