- From: <JOrendorff@ixl.com>
- Date: Thu, 20 Apr 2000 10:01:57 -0400
- To: www-html@w3.org
Pd Rippe wrote:
> I think that your idea would be very usefull, as i am
> creating an secure
> site which includes ecommerce...and there is nothing stopping someone
> from just looking through a browsers cashe...
>
> Although you said that it could gray it out, and keep it encrypted, I
> think it would seem more logical if it just deleted the info [...]
There's already a feature of HTTP that handles this.
If a server sends sensitive data, it can (and obviously
should) *tell* the client NOT to cache it.
For example, in ASP, you should write
<% Response.CacheControl = "no-store, no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
In a Java servlet or JSP page, the code would be
response.setHeader("Cache-Control", "no-store, no-cache");
response.setHeader("Pragma", "no-cache");
In ColdFusion, you would write
<CFHEADER NAME="Cache-Control" VALUE="no-store, no-cache">
<CFHEADER NAME="Pragma" VALUE="no-cache">
The HTTP/1.1 spec is, of course, available online.
http://www.ietf.org/rfc/rfc2616.txt
From Section 14.9.2 of the spec:
> no-store
> The purpose of the no-store directive is to prevent the
> inadvertent release or retention of sensitive information (for
> example, on backup tapes). ... If sent in a response, a
> cache MUST NOT store any part of either this response or the
> request that elicited it.
--
Jason Orendorff
Received on Thursday, 20 April 2000 10:03:22 UTC