RE: Publishing Web Based Application via ICA protocol

["Jose Varghese" <jose.varghese () paladion net>]

Hi Saqib,

I would like to inform you that setting the right "Cache-Control" header can
help in preventing a browser cache doc/pdf/xls type of files. 
 

To prevent the files being cached, the following needs to be done:

1. Dynamically stream the document to the browser. 

2. Set the cache control header to "NO-STORE".

3. Ensure that the connection is HTTPS.

I had written a tiny snippet of code in ASP and simulated the same using
Microsoft IIS 6.0. Both Mozilla and Internet Explorer browsers will not
cache the application files if they are served on a HTTPS connection. 

Regards

Jose Varghese
Paladion Networks  

http://palisade.paladion.net

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Saturday, July 16, 2005 8:00 PM
To: jose. varghese @ paladion. net
Cc: webappsec () securityfocus com
Subject: Re: Publishing Web Based Application via ICA protocol

Hello Jose,

I went through the document, and here is my feedback:

1) I far as I know, CACHE-CONTROL header does NOT provide protection agaist
caching of doc/pdf/xls/vsd files. The files still get downloaded locally on
the machine for viewing, and remain in the Internet Tempory Files folder. Am
I wrong? Please let me know if this is not the case. Thanks.

2) I do dynamically render all the documents. In addition I also using
anti-leeching methods to prevent traversal, and/or direct linking.

> Regarding the issue of sensitive documents getting cached at the 
> client machine , Andres Desa discusses this and more about secure 
> document delivery over Internet in the paper 
> http://www.paladion.net/papers/Document_Security_in_Web_Applications.pdf.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/