[4455] in WWW Security List Archive
Re: Removing info from a PC cache
daemon@ATHENA.MIT.EDU (Darren Cook)
Sat Feb 15 03:47:42 1997
To: www-security@ns2.rutgers.edu
From: darren@factcomm.co.jp (Darren Cook)
Date: Sat, 15 Feb 1997 15:08:42 +0900
Errors-To: owner-www-security@ns2.rutgers.edu
>> The best way (and I'd be interested to hear alternatives) seems to be to
>> assign them a 'session id' when they first log on, and then insert this id
>> into all links (requires the pages to be parsed by a cgi program).
>> Expire the id's after say 30 minutes (I record a 'last web activity' time
>> each time I sent them back a page) of inactivity.
>> Anyone who tries to access a page with no session id, or an outdated/invalid
>> one, gets the 'input password' page.
>> This does not need SSL,etc., but should run on top of it.
>>
>I believe there is a simpler way but we have not tried it yet. I remember
>reading somewhere where you can specify from the server that web pages can be
>setup to not be cached. I don't know whether this helps your case or not but
>you should look into the HTML command.
>
Do you mean "Pragma: no-cache"? This seems to be to force proxy servers to
fetch a new copy, and is sent from the client to the server.
If there is something similar the cgi program can send to the client, can
someone tell me how to use it?
Darren
