RE: Add timeouts for security to HTML [offtopic]

Pd Rippe wrote:
> I think that your idea would be very usefull, as i am 
> creating an secure
> site which includes ecommerce...and there is nothing stopping someone
> from just looking through a browsers cashe...
> Although you said that it could gray it out, and keep it encrypted, I
> think it would seem more logical if it just deleted the info [...]

There's already a feature of HTTP that handles this.
If a server sends sensitive data, it can (and obviously
should) *tell* the client NOT to cache it.

For example, in ASP, you should write
  <% Response.CacheControl = "no-store, no-cache" %>
  <% Response.AddHeader "Pragma", "no-cache" %>

In a Java servlet or JSP page, the code would be
  response.setHeader("Cache-Control", "no-store, no-cache");
  response.setHeader("Pragma", "no-cache");

In ColdFusion, you would write
  <CFHEADER NAME="Cache-Control" VALUE="no-store, no-cache">
  <CFHEADER NAME="Pragma" VALUE="no-cache">

The HTTP/1.1 spec is, of course, available online.

From Section 14.9.2 of the spec:
> no-store
>    The purpose of the no-store directive is to prevent the
>    inadvertent release or retention of sensitive information (for
>    example, on backup tapes).  ...  If sent in a response, a
>    cache MUST NOT store any part of either this response or the
>    request that elicited it.

Jason Orendorff

Received on Thursday, 20 April 2000 10:03:22 UTC