|
|
|
Browser sessions can persist after logout, so removing the SMSESSION cookie does not prevent a user from using the same browser session to view previously cached files. This problem occurs because the proxy server is not aware of the logout request and retains any protected/unprotected content in cache for the cache-control: private user until it timed out (cache-control: max-age=60). Thus, such a request would result in a page returned with a valid SMSESSION cookie. The only way to ensure security is to disable keep-alives or close the browser.
Further, the local browser cache is affected by the private/max-age combination since it observes local cache across sessions. For this reason, the max-age time for protected resources should be as short as possible.
Employing the if-modified-since and if-none-match request headers when the allowcacheheaders="FALSE" configuration setting is used (default) does not prevent the proxy server from observing these headers. Thus, these observed headers take effect on the request according to the proxy server.
You could work around this issue by installing:
Since HTTP 1.0, HTTP 1.1, or higher use different headers for specifying instructions to caching proxies, these versions should be configured in a way to ensure the most appropriate handling based on the type of connection.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |