- From: David W. Morris <dwm@xpasc.com>
- Date: Wed, 3 Jan 2001 13:08:58 -0500 (EST)
- To: Tom McLaren <tom@mclaren.tc>
- cc: Erik Aronesty <erik@primedata.org>, http-wg@cuckoo.hpl.hp.com
On Wed, 3 Jan 2001, Tom McLaren wrote: > I agree that a "logout" type button should certainly be implemented. I'm > interested in your choice of words however, naming the non-provision of an > HTTP server cache clearance request as a security hole. In my opinion it is > the responsibility of the site to provide some form of timeout security. To > provide an HTTP type clearance of the cache is exposing the agent to what > amounts to control by a third party. Surely this would constitute a greater > threat to security and not be a road to wander down without serious > consideration of the potential future implications? Any control provided to the server should of course be scoped to the data 'owned' by that server, hence no security exposure. Likewise, it should be possible for a user to expunge ALL data cached from their session, login credentials, cookies, pages etc. It should be possible for the 'owner' of the user agent installation to configure the UA to peform this function automatically when closed, etc. Again not a security issue if the action is performed by or directly on behalf of the human user. And of course, any well designed web application will implement a timeout stragegy because they can't trust the other end. Unfortunately short timeouts which improve security have the strong potential for very frustrated users who happen to be interrupted by a phone call or other task while in the middle of an interaction. Dave Morris
Received on Wednesday, 3 January 2001 10:16:56 UTC