Security Basics mailing list archives
[CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps
From: stef <stefmit () starband net>
Date: Wed, 30 Oct 2002 15:59:28 -0600
Finally figured it out myself: - Oracle apache binary comes with the mod_expires and mod_headers precompiled. All I had to do in the end was to enable them in the configuration file, to find that they worked just fine - a very nice document explaining how to do that is here: http://linux.oreillynet.com/lpt/a/1424 Once having done that, no client is able to try to work offline and still read previously cached info --> security issue at the client level addressed! Thx to everyone for all the suggestions - and thank you to the moderator for letting this go through, even though so vendor specific. Stef On Wednesday 30 October 2002 08:43 am, stef wrote:
EXACTLY!! But here is my hope: according to the standards, all browsers developed by HTTP1.1 standard are forced to abide by the requirements in the HTTP headers, even though not necessarily forced to go by Pragmas and/or Metatags (which are HTML "enforcers", instead) ... this is the difference I count on: HTTP vs. HTML. Besides the obvious fact that it is much easier to modify configuration files for Apache in one single place (for the HTTP solution, if you wan to call it as such), vs. modifying all possible HTML templates Oracle delivers with their products (the HTML solution). The drawback? Apache comes in binary form from Oracle, for the HP-UX platform, and does not use the "standard" httpd.conf ... so I am digging up the non-documented apache workings right now. And - to stay on the topic of this forum - my initial question was: really nobody has been presented with this security issue, taking into account the vast deployment of Oracle with Apachem, as well as Oracle apps, throughout the world?!? Thx again to all who replied, Stef On Tuesday 29 October 2002 04:13 am, Johan De Meersman wrote:The way I understand what you're trying to do, all you need is to send http-headers 'Expires: now' and/or 'Nochache'. I'm not sure about the exact syntax (have a look at the http rfc), but your server-side application should be able to handle this easily. However, whatever server-side pragmas you implement, you'll always be depending on the client browser to accurately interpret them.
Current thread:
- Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Message not available
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Johan De Meersman (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 30)
- [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 31)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Ryan Parr (Oct 29)
- Message not available
- <Possible follow-ups>
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 31)