W3C home > Mailing lists > Public > www-html@w3.org > April 2000

RE: Add timeouts for security to HTML [offtopic]

From: <JOrendorff@ixl.com>
Date: Thu, 20 Apr 2000 10:01:57 -0400
Message-ID: <CD8E2CDBC6D0D111ACB900805FBBD97E026302DA@memntsxchange.mem.ixl.com>
To: www-html@w3.org
Pd Rippe wrote:
> I think that your idea would be very usefull, as i am 
> creating an secure
> site which includes ecommerce...and there is nothing stopping someone
> from just looking through a browsers cashe...
> 
> Although you said that it could gray it out, and keep it encrypted, I
> think it would seem more logical if it just deleted the info [...]

There's already a feature of HTTP that handles this.
If a server sends sensitive data, it can (and obviously
should) *tell* the client NOT to cache it.

For example, in ASP, you should write
  <% Response.CacheControl = "no-store, no-cache" %>
  <% Response.AddHeader "Pragma", "no-cache" %>

In a Java servlet or JSP page, the code would be
  response.setHeader("Cache-Control", "no-store, no-cache");
  response.setHeader("Pragma", "no-cache");

In ColdFusion, you would write
  <CFHEADER NAME="Cache-Control" VALUE="no-store, no-cache">
  <CFHEADER NAME="Pragma" VALUE="no-cache">

The HTTP/1.1 spec is, of course, available online.
http://www.ietf.org/rfc/rfc2616.txt

From Section 14.9.2 of the spec:
> no-store
>    The purpose of the no-store directive is to prevent the
>    inadvertent release or retention of sensitive information (for
>    example, on backup tapes).  ...  If sent in a response, a
>    cache MUST NOT store any part of either this response or the
>    request that elicited it.

-- 
Jason Orendorff
Received on Thursday, 20 April 2000 10:03:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:43 GMT