nocache?
20 views
Skip to first unread message
Joshua Cowles
Aug 3, 2015, 5:59:04 PM8/3/15
to webc-...@googlegroups.com
Hi all,
Is nocache an actual API option? I am having a problem where certain account information can be accessed via the back button even after the user has logged out of a website. My usual (non webconverger) computers don't have this issue. I thought maybe disabling the cache would do the job & I seemed to remember "nocache" for some reason, tried it, and it actually seemed to fix the problem. But when I went to check the config API documentation to see if it was doing what I thought it was, I couldn't find anything on nocache.
Josh Cowles
Kai Hendry
Aug 3, 2015, 11:52:10 PM8/3/15
to webc-...@googlegroups.com
Hi there Josh,
Caching is a modern browser (Firefox) feature. I've reproduced the same
sort of "caching" behaviour in Chrome. I.e. fill a form. Click back and
the form is as you left it.
The Webconverger way of avoiding this issue, is to mandate the user
closes the session (i.e. last tab) before the next user comes along.
That way the session is properly cleaned. So you must inform your users
to close the session, else we will go down a rat hole when it comes to
private data. It simply is the wrong approach to rely on Web
applications to invalidate the session without wiping the slate clean as
Webconverger does it!
That said, your Web application in question almost certainly has a bug.
Your developers need to pass some combination of 'no-cache', 'no-store'
and 'must-revalidate' in the http headers.
https://www.ietf.org/rfc/rfc2616.txt
I hope this answers your question! =)
Caching is a modern browser (Firefox) feature. I've reproduced the same
sort of "caching" behaviour in Chrome. I.e. fill a form. Click back and
the form is as you left it.
The Webconverger way of avoiding this issue, is to mandate the user
closes the session (i.e. last tab) before the next user comes along.
That way the session is properly cleaned. So you must inform your users
to close the session, else we will go down a rat hole when it comes to
private data. It simply is the wrong approach to rely on Web
applications to invalidate the session without wiping the slate clean as
Webconverger does it!
That said, your Web application in question almost certainly has a bug.
Your developers need to pass some combination of 'no-cache', 'no-store'
and 'must-revalidate' in the http headers.
https://www.ietf.org/rfc/rfc2616.txt
I hope this answers your question! =)
Joshua Cowles
Aug 4, 2015, 12:08:05 AM8/4/15
to webc-...@googlegroups.com
Unfortunately its not my application and there is no way to effectively inform users. The best we can do is inactivity resets, which we are already doing. I am puzzled about why this isn't reproducible in chrome or firefox on my regular desktops. But in any case, I can't change the app and can't trust the users, so I am trying to do the best I can short of that.
Thanks for the response. Let me know if there is anything else that comes to mind.
--
You received this message because you are subscribed to the Google Groups "Webconverger Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webc-users+...@googlegroups.com.
To post to this group, send email to webc-...@googlegroups.com.
Visit this group at http://groups.google.com/group/webc-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/webc-users/1438660326.1581895.347010001.380691C7%40webmail.messagingengine.com.
For more options, visit https://groups.google.com/d/optout.
Kai Hendry
Aug 4, 2015, 12:13:42 AM8/4/15
to webc-...@googlegroups.com
On Tue, 4 Aug 2015, at 12:08 PM, Joshua Cowles wrote:
> already doing. I am puzzled about why this isn't reproducible in chrome
> or
> firefox on my regular desktops. But in any case, I can't change the app
> and can't trust the users, so I am trying to do the best I can short of
> that.
Could you please let me know the application or preferably reduce it to
> already doing. I am puzzled about why this isn't reproducible in chrome
> or
> firefox on my regular desktops. But in any case, I can't change the app
> and can't trust the users, so I am trying to do the best I can short of
> that.
a test case? Then I can better determine where the fault lies. You
really should be able to reproduce it. We don't add any preferences to
cache! ;)
You could try something like:
prefs=http://prefs.webconverger.com/2015/nofill.js
But I think that's a red herring and not applicable.
Kind regards,
Kai Hendry
Aug 5, 2015, 10:54:28 PM8/5/15
to webc-...@googlegroups.com
I've opened a bug
https://github.com/Webconverger/webconverger-addon/issues/63 so you can
track an idea to fix errant pages that cache.
Any help (patches, testing) would be gratefully received! So please
subscribe to the bug.
Cheers!
https://github.com/Webconverger/webconverger-addon/issues/63 so you can
track an idea to fix errant pages that cache.
Any help (patches, testing) would be gratefully received! So please
subscribe to the bug.
Cheers!
Joshua Cowles
Aug 12, 2015, 10:45:43 PM8/12/15
to webc-...@googlegroups.com
Hi Kai,
I apologize for the delay in responding. Juggling too many things and you are, as usual, very quick! Thank you for the responses. I have subscribed to the bug.
I apologize for the delay in responding. Juggling too many things and you are, as usual, very quick! Thank you for the responses. I have subscribed to the bug.
The app is: http://fdlp.ent.sirsi.net/client/fdlpl
Specifically, the My Account feature.
I don't have a test account that you can log into but I may be able to set one up if you would find that helpful.
What it's showing is not just filled form data, but complete pages of personalized info. when hitting the "back" button.
I will do some more testing here to see if I can get a better understanding of it and let you know if I uncover anything useful.
Thanks,
Josh
--
You received this message because you are subscribed to the Google Groups "Webconverger Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webc-users+...@googlegroups.com.
To post to this group, send email to webc-...@googlegroups.com.
Visit this group at http://groups.google.com/group/webc-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/webc-users/1438829665.3177582.349025513.1A12C8D9%40webmail.messagingengine.com.
Reply all
Reply to author
Forward
0 new messages