Forum OpenACS Q&A: Re: Strange cross-caching of users

Collapse
Posted by Reuven Lerner on

Matthew, you're 100 percent right in what you're saying. At the same time:

  • I slightly overstated the need for security. The financial data is about aid requests that potential particpiants have submitted. If the information is released, then there will be a heckuva lot of embarrassment, and my head will be served up on a silver platter, but the organization won't go under, and no one will lose any money.
  • That said, the financial information is protected by a set of permissions that only we (the developers) can assign manually via the OpenACS site map. If we haven't explicitly given you permission to view the data, you won't see it.
  • The client's current security system is laughably bad. The financial data was passed around in cleartext e-mail several times per week for the last few years. And the computer on which the data is located sits in the middle of an office (without any password, of course) through which more than 100 people pass each day. I take computer and network security quite seriously, but I also have to be realistic -- and for this particular non-profit, the security that we've set up is so far beyond what they've had before that there's no comparison.
  • All this being true, we're being pretty vigilant about testing and double-checking ourselves.
  • You're probably right to have cookies expire on a regular basis. At the same time, I have a feeling that the client will be rather annoyed by having to log in again every so often. I'll run it by them later today, and will see what they say.

Finally: From the other thread that Jeff pointed me to, it looks like the pages are cached but the permissions and logins are not. This is a major relief, and means that I simply need to set the caching properties on personalized pages. The underlying security mechanism remains unchanged. I wouldn't mind setting a meta tag, as Matthew suggests, but doing these things in .tcl strikes me as a more elegant solution.

Thanks for the rapid and useful comments!

Collapse
Posted by Jeff Davis on
Two other possibilities for circumventing bad
caching proxies (beyond setting cache-control, etc headers) are to have sensitive pages
be https or to add a "sessionid" to the url (which will prevent cache hits since every url
would then be unique to the given session).  I think
both of those will work no matter how broken your proxy is.

Also, even if the pages are cached you cannot carry out
any operation that does a permissions check since the
session_id in the cookie will be correct even if the page
presented to the browser is wrong.