Re: Publishing Web Based Application via ICA protocol

[Justin Clarke <justin () justinclarke com>]

Are you concerned over files downloaded from the website (i.e. word/ 
excel documents in the applications, other stuff that can be  
downloaded), or pages containing sensitive information being cached?   
A standard measure for downloading content is to display a big  
warning saying don't download content from a public machine as it  
will be exposed.

If you are concerned about pages being cached, you can control this  
pretty well by being paranoid about cache control - supply Cache- 
Control: no-store headers (HTTP/1.1) and Pragma: no-cache headers  
(HTTP/1.0)  on every page with sensitive stuff, serve them with pre  
expired (note - NOT Expires: -1) expiry headers, caching meta tags  
etc (there is some details about this all in the OWASP secure app  
guide).  Then at least you have done everything you can from the server.

As for cookies, you can catch the browser close event and destroy  
cookies, plus have an arbitrarily short expiry on the session timeout.

Of course, all of these measures are going to make the app a little  
bit less friendly to use.

J

On Jul 14, 2005, at 8:55 PM, Saqib Ali wrote:

> > If you are simply publishing a web URL to be run in IE, it might  
> > be better off as a well secured web
> > front-end using high bit level SSL and some two factor  
> > authentication.
>
> If we take Citrix out of the picture, I have the problem of cached
> files/cookie residing on the computer from where the user accessed our
> application. The user might have connected from a public computer, or
> a friend's computer.
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/