Caching and SSL Pages

Browsers cache pages. We all know that. But most browsers also cache SSL secured pages. Such pages potentially contain sensitive data and you don’t want that anybody who has file access to your computer (administrator, remote attacker, virus or trojan) can read that data in your browser cache, right?

You can double check IE’s settings in Internet Options->Advanced->Security->Do not save encrypted pages to disk.

To disable client side caching (at least for RFC compliant browsers) in ASP.NET, you can use the OutputCache directive, e.g.

<%@ OutputCache Location=”None” VaryByParam=”none” %>

You can also define a cache profile for sensitive pages in web.config:

<caching>

  <outputCacheSettings>

    <outputCacheProfiles>

      <add name=Sensitive location=None varyByParam=none/>

    </outputCacheProfiles>

  </outputCacheSettings>

</caching>

…and refer to it on a page:

<%@ OutputCache CacheProfile=”Sensitive” %>

If you want to programmatically disable caching (e.g. in a base page or module) you can do this:

Response.Cache.SetCacheability(HttpCacheability.NoCache);

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s