WebApp Sec mailing list archives
Re: Publishing Web Based Application via ICA protocol
From: Justin Clarke <justin () justinclarke com>
Date: Fri, 15 Jul 2005 10:19:33 -0400
Are you concerned over files downloaded from the website (i.e. word/ excel documents in the applications, other stuff that can be downloaded), or pages containing sensitive information being cached? A standard measure for downloading content is to display a big warning saying don't download content from a public machine as it will be exposed.
If you are concerned about pages being cached, you can control this pretty well by being paranoid about cache control - supply Cache- Control: no-store headers (HTTP/1.1) and Pragma: no-cache headers (HTTP/1.0) on every page with sensitive stuff, serve them with pre expired (note - NOT Expires: -1) expiry headers, caching meta tags etc (there is some details about this all in the OWASP secure app guide). Then at least you have done everything you can from the server.
As for cookies, you can catch the browser close event and destroy cookies, plus have an arbitrarily short expiry on the session timeout.
Of course, all of these measures are going to make the app a little bit less friendly to use.
J On Jul 14, 2005, at 8:55 PM, Saqib Ali wrote:
If you are simply publishing a web URL to be run in IE, it might be better off as a well secured web front-end using high bit level SSL and some two factor authentication.If we take Citrix out of the picture, I have the problem of cached files/cookie residing on the computer from where the user accessed our application. The user might have connected from a public computer, or a friend's computer. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Publishing Web Based Application via ICA protocol Saqib Ali (Jul 13)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 14)
- <Possible follow-ups>
- RE: Publishing Web Based Application via ICA protocol Welsh, Ed (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Chuck (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 14)
- Re: Publishing Web Based Application via ICA protocol jose . varghese (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Jose Varghese (Aug 02)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 18)