Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: How to prevent Internet Explorer from locally caching pages

Re: How to prevent Internet Explorer from locally caching pages

From: Adrian Caneva <acaneva_at_nexttech.com.ar>
Date: 4 Apr 2003 21:44:25 -0000
('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.44.0304032032030.886-100000_at_localhost.localdomain>

Thanks for your quick responses!
After some research I believe I've found an answer.

Usually web applications send 3 basic headers to prevent caching:

Cache-Control : no-cache
//HTTP 1.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1

Pragma : no-cache;
//HTTP 1.0 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.32
for proxies

Expires : -1

Maybe also, some other headers like (cache-control, private).
As Liam correctly pointed out (Expire, -1) header is not mandatory. And
should be ignored for history retrieving methods if the page is in local
cache.
But the page should not be in local cache in the first place because
(cache-control, no-cache) header would prevent any intermediate cache from
storing it.
The problem with these statement is that is an HTTP/1.1 header.
Internet Explorer would evaluate this header only if it comes in an
HTTP/1.1 response.
If a Proxy server HTTP/1.0 like Squid is between the web application and
the browser, MSIE would receive this header into an HTTP/1.0 response
block and will ignore it.
No matter if the web server at the origin is HTTP/1.1 compliant.
If the proxy is not in the chain, MSIE behaves as expected not caching
locally the response.
Additionaly, Internet Explorer needs advanced setting "Use HTTP 1.1
through proxy connections" to place HTTP 1.1 requests behind a proxy.
Microsoft says that for HTTP 1.0 servers (pragma, no cache) header would
prevent MSIE from storing local copies of the response if it comes from a
secure site. And this is the simplistic workaround.

Best regards and thanks again,

Adrian Caneva

>FWIW, IE's behaviour seems to be in agreement with the HTTP/1.1
>specification:
>
> By default, an expiration time does not apply to history mechanisms.
> If the entity is still in storage, a history mechanism SHOULD display
> it even if the entity has expired, unless the user has specifically
> configured the agent to refresh expired history documents.
>
>http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.13
>
>--
Received on Apr 04 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos