Viewing web content off-line (Apache) - default Oracle install of self-service apps

[stef <stefmit () starband net>]

Hi, all,

A first attempt of mine in posting this was declined by the moderator as 
irrelevant to a security list, so I am trying to reformulate to emphasize the 
fact that the only reason of this post is a security issue: we have started 
deploying Oracle self-services in my company (HR-related "modules", among 
others), based on Oracle 9 as database and Apache as web server. The problem 
is that these applications contain highly confidential data (e.g. salary 
info), and in the areas where the PCs are shared among multiple users, the 
availability of pages saved in the history is of great concern. Here is what 
is happening: after having "visited" the salary information, regardless of 
whether the user exits the application properly, or not, his information is 
available to the next user by simply doing the following:
- in a browser like Microsoft IE - choose "work offline"
- choose then the history menu
- "pick" ("click") on one of the previously visited pages (by other 
employees) --> boom - salary info from previous visitor is available

We are running all this using SSL (obviously in an attempt to avoid the 
damage of traffic sniffing as much as we can) , so we found an easy solution 
being the "tweaking" of the browser in the security options, by checking the 
"Do not save encrypted pages to disk" in the Tools --> Internet options ... 
--> Advanced menu (in the IE). We also have knowlegde on how to do this 
"scripted", such that all the browsers get the change, by using a reg hack 
deployed through the login srcipt, one containing also removal of specific 
rights for regular users changing back this option, BUT I do not think this 
is a proper way of resolving such a security issue. I think that the solution 
should reside on the Apache side, by forcing (somehow) this type of 
"caching"/"history kept" from happening. I know the basics of HTML Metatags 
or Pragmas in regards to expiration of cache, etc. ... but this is not the 
solution I am seeking, as it won't work on dynamically created pages - I 
think there may be a solution using Java bases app(let)s forcing this 
dynamically, such that we could deploy a "hidden" such applet on every 
dynamically created page ....

Sorry for the lengthy posting - in the end the simple question is: has 
anybody been faced with this challenge of self-service-like apps, delivered 
via Apache-based servers? If yes - how did you resolve the security aspects 
such as the one I described above?

Thx,
Stef