Authorisation/Security problem

Authorisation/Security problem

Post by Lord Wodehous » Sat, 24 Aug 1996 04:00:00

Ok, we have come across a * problem with user authorisation
and client page caching, and we are looking for a way to shut this hole.

The problem is this:

Server NCSA 1.5.2 (but could be any server which handles user

Client Netscape any version (but could be any local caching client)

Platform PC Windows 3.1 (but any OS which could allow the users to read
the cache)


User A has access to a given html file but need to be an authorised
user. User A supplies user id/password combination and looks at the

Later on user B using the same PC requests the file. User B is not
authorised to see it, and fails the authorisation check. However user B
tries again, and then cancels the request. Client then displys the
cached copy of the document!

Alternatively user C can just trawl the cache for the document on the PC
and recover it.

OK - what we want to try to do, is to get the server to send a Pragma:
No-cache header and even an Expires: Day, dd-Mon-yyyy header as well to
attempt to prevent caching locally of the file. Because the user can
easily just turn on caching with Netscape, especially on a PC for any
user of the machine, the only way round the problem we can see is to try
and tell any client not to keep a local copy.

I don't want to make changes to the server source unless there is no
choice, because all pages would then not be cached. I am wondering if
there is any server like Apache, which could selectively add the extra
headers on to some pages which we can define.

All suggestions welcome - I will gladly report on our eventual solution,
if any. If you need more information to understand the problem, please

Yours John.


*** Remember the time BW3 (before WWW)?-)


1. Security Dynamics ACE authorisation checking from Perl

I have a need for a perl interface to the Security Dynamics
authentication library routines sd_check(), sd_next() & sd_pin().

I'm about to go off an implement these, but if someone has done
the work and is willing to share it I would be very happy
to take a copy from them :-).

[For those who don't know, Security Dynamics make an access
control product based on a card which generates time synched
psuedo-random numbers.  You then login using your username
with a password based on the current card code.  Security Dynamics
provide a library to interface with their stuff, but I need
to check codes from within Perl, so need a Perl module to
interface to their C API].



[ PLAnet Online : The White House     Tel : +44 113 2345566 x 612 ]
[ Melbourne Street, Leeds LS2 7PS UK. Fax : +44 113 2345656       ]

2. Wine + groupware won't connect...

3. RBAC: Can we modify /etc/security/auth_attr to add extra authorizations??

4. modules not loading

5. basic authorization (.htaccess) = weak security??

6. Terminal information from telnetd?

7. pointers to httpd security/authorization information

8. Help with find command

9. Security Problems? What Security Problems?

10. NFS mountd authorization problem

11. problem with authorization on Apache 2.0.39

12. Authorization problem

13. User Authorization Problem