Security Basics mailing list archives

[CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps

From: stef <stefmit () starband net>
Date: Wed, 30 Oct 2002 15:59:28 -0600

Finally figured it out myself:

- Oracle apache binary comes with the mod_expires and mod_headers 
precompiled. All I had to do in the end was to enable them in the 
configuration file, to find that they worked just fine - a very nice document 
explaining how to do that is here:

http://linux.oreillynet.com/lpt/a/1424

Once having done that, no client is able to try to work offline and still 
read previously cached info --> security issue at the client level addressed!

Thx to everyone for all the suggestions - and thank you to the moderator for 
letting this go through, even though so vendor specific.

Stef

On Wednesday 30 October 2002 08:43 am, stef wrote:

EXACTLY!! But here is my hope: according to the standards, all browsers
developed by HTTP1.1 standard are forced to abide by the requirements in
the HTTP headers, even though not necessarily forced to go by Pragmas
and/or Metatags (which are HTML "enforcers", instead) ... this is the
difference I count on: HTTP vs. HTML. Besides the obvious fact that it is
much easier to modify configuration files for Apache in one single place
(for the HTTP solution, if you wan to call it as such), vs. modifying all
possible HTML templates Oracle delivers with their products (the HTML
solution). The drawback? Apache comes in binary form from Oracle, for the
HP-UX platform, and does not use the "standard" httpd.conf ... so I am
digging up the non-documented apache workings right now.

And - to stay on the topic of this forum - my initial question was: really
nobody has been presented with this security issue, taking into account the
vast deployment of Oracle with Apachem, as well as Oracle apps, throughout
the world?!?

Thx again to all who replied,
Stef

On Tuesday 29 October 2002 04:13 am, Johan De Meersman wrote:

The way I understand what you're trying to do, all you need is to send
http-headers 'Expires: now' and/or 'Nochache'. I'm not sure about the
exact syntax (have a look at the http rfc), but your server-side
application should be able to handle this easily. However, whatever
server-side pragmas you implement, you'll always be depending on the
client browser to accurately interpret them.

Current thread:

Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Message not available
  - Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
    - Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Johan De Meersman (Oct 29)
    - Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 30)
    - [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 31)
    - Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Ryan Parr (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Pablo Gietz (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service Konrad Rzeszutek (Oct 29)
- <Possible follow-ups>
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 31)