on 5/18/01 8:44 AM, "Gareth Coltman" <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> Using the Turbine Security Manager today I noticed something odd. When I log
> out, I am still able to use the back button to look at pages that should
> have expired, because they are being fetched from the client's cache. When I
> refreshed the page, I was presented with the login screen as I would expect.
> This is quite a serious flaw if the data is very sensitive.
>
> Surely the server should have set the response expiry so the browser always
> tries to reload the page? I can't believe that this hasn't been brought up
> before, so apologies in advance if it has...
>
> Gareth
We don't set the expiration headers. That is your job to do if you want to
do it.
Also, if the user clicks on any of the links in the page after having
clicked the back button, then the links won't work if you have things
properly secured yourself.
-jon
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
