Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps

[stef <stefmit () starband net>]

Thank you - but the point I was trying to make was that a browser solution 
relies on clients keeping the setup/configuration as such. A sophisticated 
user could easily change that back to defaults, or whatever else (or even the 
reg key disabling access to the Advanced tab ... as it is a simple HKEY_USER 
entry), and take advantage of the other users sharing that PC, leaving traces 
of their visits. This is why I was looking into a server-based solution.

Speaking of server-based solution I actually came across something I was 
going to try: mod_headers and mod_expires in Apache - presumably able to 
handle the needed cache-control in http (the application-layer protocol), 
rather than in HTML (which would have been very messy ... as I initially 
mentioned in my post, because of the zillion templates needed to have the 
HTML code appended with appropriate Pragmas or Metatags) ... but the problem 
with this approach (mod_xxx) is that the Apache is delivered by Oracle in 
binary form, thus less lilkely to be able to get the source and recompile the 
needed modules ... I am still looking, though.

Thx,
Stef

On Monday 28 October 2002 12:57 pm, you wrote:
> In IE : Tools\Internet Options\
> Choose Settings in Temporary Internet File panel and checked every time you
> visit page.
>
> It seems to solve the problem
>
> ----- Original Message -----
> From: "stef" <stefmit () starband net>
> To: <security-basics () securityfocus com>
> Sent: Friday, October 25, 2002 11:14 AM
> Subject: Viewing web content off-line (Apache) - default Oracle install of
> self-service apps
>
> > Hi, all,
> >
> > A first attempt of mine in posting this was declined by the moderator as
> > irrelevant to a security list, so I am trying to reformulate to emphasize
>
> the
>
> > fact that the only reason of this post is a security issue: we have
>
> started
>
> > deploying Oracle self-services in my company (HR-related "modules", among
> > others), based on Oracle 9 as database and Apache as web server. The
>
> problem
>
> > is that these applications contain highly confidential data (e.g. salary
> > info), and in the areas where the PCs are shared among multiple users,
> > the availability of pages saved in the history is of great concern. Here
> > is
>
> what
>
> > is happening: after having "visited" the salary information, regardless
> > of whether the user exits the application properly, or not, his
> > information
>
> is
>
> > available to the next user by simply doing the following:
> > - in a browser like Microsoft IE - choose "work offline"
> > - choose then the history menu
> > - "pick" ("click") on one of the previously visited pages (by other
> > employees) --> boom - salary info from previous visitor is available
> >
> > We are running all this using SSL (obviously in an attempt to avoid the
> > damage of traffic sniffing as much as we can) , so we found an easy
>
> solution
>
> > being the "tweaking" of the browser in the security options, by checking
>
> the
>
> > "Do not save encrypted pages to disk" in the Tools --> Internet options
>
> ...
>
> > --> Advanced menu (in the IE). We also have knowlegde on how to do this
> > "scripted", such that all the browsers get the change, by using a reg
> > hack deployed through the login srcipt, one containing also removal of
> > specific rights for regular users changing back this option, BUT I do not
> > think
>
> this
>
> > is a proper way of resolving such a security issue. I think that the
>
> solution
>
> > should reside on the Apache side, by forcing (somehow) this type of
> > "caching"/"history kept" from happening. I know the basics of HTML
>
> Metatags
>
> > or Pragmas in regards to expiration of cache, etc. ... but this is not
> > the solution I am seeking, as it won't work on dynamically created pages
> > - I think there may be a solution using Java bases app(let)s forcing this
> > dynamically, such that we could deploy a "hidden" such applet on every
> > dynamically created page ....
> >
> > Sorry for the lengthy posting - in the end the simple question is: has
> > anybody been faced with this challenge of self-service-like apps,
>
> delivered
>
> > via Apache-based servers? If yes - how did you resolve the security
>
> aspects
>
> > such as the one I described above?
> >
> > Thx,
> > Stef