On 22/06/2010 2:13 a.m., Presto, Patrick wrote:
One of our larger portal applications has had reports of users logging in and getting other users content
Your application is not sending Cache-Control: Private as it MUST in order to avoid caches at any level of the chain from caching your user-specific content. It's not just your caching server, there are ISPs that will cache your pages that have no caching directives too, exposing sessions to other users who use the same ISP. We saw it on our website until we added the correct directives to block caching.
Cheers, Nicholas Sherlock --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|