by Ok, we have come across a * problem with user authorisation
and client page caching, and we are looking for a way to shut this hole.
The problem is this:
Server NCSA 1.5.2 (but could be any server which handles user
authorisation)
Client Netscape any version (but could be any local caching client)
Platform PC Windows 3.1 (but any OS which could allow the users to read
the cache)
Scenarioo:
User A has access to a given html file but need to be an authorised
user. User A supplies user id/password combination and looks at the
file.
Later on user B using the same PC requests the file. User B is not
authorised to see it, and fails the authorisation check. However user B
tries again, and then cancels the request. Client then displys the
cached copy of the document!
Alternatively user C can just trawl the cache for the document on the PC
and recover it.
OK - what we want to try to do, is to get the server to send a Pragma:
No-cache header and even an Expires: Day, dd-Mon-yyyy header as well to
attempt to prevent caching locally of the file. Because the user can
easily just turn on caching with Netscape, especially on a PC for any
user of the machine, the only way round the problem we can see is to try
and tell any client not to keep a local copy.
I don't want to make changes to the server source unless there is no
choice, because all pages would then not be cached. I am wondering if
there is any server like Apache, which could selectively add the extra
headers on to some pages which we can define.
All suggestions welcome - I will gladly report on our eventual solution,
if any. If you need more information to understand the problem, please
--
Yours John.
Webzone: http://www.veryComputer.com/
*** Remember the time BW3 (before WWW)?-)