000021697 - Browser caching on RSA ClearTrust protected resources

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021697
Applies ToRSA ClearTrust 5.5
Microsoft Windows 2000
IssueBrowser caching on RSA ClearTrust protected resources
After authenticating to an RSA ClearTrust protected resource and navigating to another web resource, the browser caches to memory the contents displayed from accessed resources. If the address of the original ClearTrust protected resource is entered, the browser cache loads up the protected resource contents.
With the browser cache displaying a RSA ClearTrust protected resource, a user not entitled to view the resource contents could potentially have viewing access to the protected resource
CauseThis is expected behavior of browser caching that once an accessed page is captured within the browser cache memory, when this page is reaccessed, the browser presents its contents from the cache memory, and does not request it to be loaded again from the web server
ResolutionAccording to the Microsoft web site at http://support.microsoft.com/kb/Q234067/, the web resource can be modified to include the following code:

<HTML><HEAD> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="-1"> </HEAD><BODY> </BODY> </HTML>
where:
Pragma: no-cache prevents caching only when used over a secure connection.
Expires: -1 if used in a non-secure page. The page will be cached but marked as immediately expired.

According to http://www.experts-exchange.com/Web/WebDevSoftware/Visual_Interdev/Q_20803413.html, the web resource can be modified so that when the page is initially accessed, is not cached within the browser's cache memory. Add the following to the beginning and end of your HTML code:

<head>
 <%Response.buffer = true
  Response.Expires=0
  Response.ExpiresAbsolute=Now()-1
  Response.AddHeader "pragma","no-cache"
  Response.AddHeader "cache-control","no-cache"%>
<META Http-Equiv="Cache-Control" Content="no-cache">
<META Http-Equiv="Pragma" Content="no-cache">
<META Http-Equiv="Expires" Content="0">

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
Legacy Article IDa24384

Attachments

    Outcomes