how do i remove the security risk, due to cached v

2019-08-16 23:01发布

问题:

please refer to the link

why does the value of session variable remain even after all the code of destruction?

in the above the problem is that login function made by me fails, as the browser is displaying the cached version of the page, which also I DO NOT KNOW WHY is capable of performing all the functions for a certain time limit, after which it REALIZES THAT ITS CACHED!!

so,

how to remove the cached version of the website,

OR

how to tell DO NOT MAKE MY COPY IN CACHE!!!

by using c#

回答1:

Most you can do is add expires meta tag to the pages that you don't want browser to cache

<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="No-Cache, No-Store">

Or alternately in ASP.NET after Page tag add

<%@ OutputCache Duration="0" Location="none" NoStore="true" %>

In code behind for C#

Response.Cache.SetNoStore();
Response.Cache.SetExpires(DateTime.Now);
Response.Cache.SetCacheability(HttpCacheability.NoCache);

For more information refer to http://msdn.microsoft.com/en-us/library/06bh14hk(v=VS.100).aspx

A further detailed article here http://www.mnot.net/cache_docs/

EDIT: Updated after comments from Alxandr



回答2:

It sounds like you're concerned about the cached version of the page on the client side. If this is true you have two primary ways of addressing that concern. You can either add a no-cache attribute to the HTTP Header or in the page's META tags. The HTTP Header approach is the recommended approach.

The META Tag Approach

<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">

The HTTP Header Approach

Cache-Control: max-age=3600, must-revalidate

My below cited link will give you a wealth of information on HTTP Headers and META Headers. I recommend you read it to understand the options as well as see example implementations in various languages and HTTP Servers.



回答3:

Donut caching and server side only caching will fix this issue. In the hole (the donut center) you validate the user's login. if it invalid perform a redirect 301 to the login page.



回答4:

The browser WILL make copies of it in cache. Shouting about it won't make it go away. This should not be a security risk unless you are doing dumb things elsewhere. Even if you do have security issues preventing the cache from making copies will not solve the problem.

So: You can prevent the browser from caching, but it is NOT what you want to do. The browser will still save a copy of the web page into the hard drive it just won't try to display it. None of that is a security issue.