Caching and SSL Pages

Posted on August 21, 2006 by Dominick Baier

Browsers cache pages. We all know that. But most browsers also cache SSL secured pages. Such pages potentially contain sensitive data and you don’t want that anybody who has file access to your computer (administrator, remote attacker, virus or trojan) can read that data in your browser cache, right?

You can double check IE’s settings in Internet Options->Advanced->Security->Do not save encrypted pages to disk.

To disable client side caching (at least for RFC compliant browsers) in ASP.NET, you can use the OutputCache directive, e.g.

<%@ OutputCache Location=”None” VaryByParam=”none” %>

You can also define a cache profile for sensitive pages in web.config:

<caching>

  <outputCacheSettings>

    <outputCacheProfiles>

      <add name=Sensitive location=None varyByParam=none/>

    </outputCacheProfiles>

  </outputCacheSettings>

</caching>

…and refer to it on a page:

<%@ OutputCache CacheProfile=”Sensitive” %>

If you want to programmatically disable caching (e.g. in a base page or module) you can do this:

Response.Cache.SetCacheability(HttpCacheability.NoCache);

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s