[4423] in WWW Security List Archive
Re: Removing info from a PC cache
daemon@ATHENA.MIT.EDU (John Gervasi - Loral - X1468)
Fri Feb 14 10:49:26 1997
Date: Fri, 14 Feb 1997 08:35:43 -0500
From: gervasi@manassas1.tds-gn.lmco.com (John Gervasi - Loral - X1468)
To: www-security@ns2.rutgers.edu, darren@factcomm.co.jp
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Fri Feb 14 04:42:05 1997
> To: <www-security@ns2.Rutgers.EDU>
> From: darren@factcomm.co.jp (Darren Cook)
> Subject: Re: Removing info from a PC cache
> Date: Thu, 13 Feb 1997 23:03:05 +0900
>=20
> >When using the "back" button in such browsers as Netscape Navigator =
and
> >Internet Explorer, the information for the previous pages are =
re-displayed.
> >When setting up an Internet site that requests ids and passwords/PINs =
for
> >commerce transactions, this creates the risk of having others use the =
PC to
> >get to the authenticating person's confidential info when the person =
does not
> >exit the browser before leaving the PC.
>=20
> The best way (and I'd be interested to hear alternatives) seems to be =
to
> assign them a 'session id' when they first log on, and then insert =
this id
> into all links (requires the pages to be parsed by a cgi program).
> Expire the id's after say 30 minutes (I record a 'last web activity' =
time
> each time I sent them back a page) of inactivity.
> Anyone who tries to access a page with no session id, or an =
outdated/invalid
> one, gets the 'input password' page.
> This does not need SSL,etc., but should run on top of it.
>=20
> Darren
I believe there is a simpler way but we have not tried it yet. I =
remember=20
reading somewhere where you can specify from the server that web pages =
can be=20
setup to not be cached. I don't know whether this helps your case or =
not but=20
you should look into the HTML command.
John=20
