SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Browser Caching Questions

    Is there a way to prevent images (and content) from being cached in a user's browser?

    (I am asking this from the website's point-of-view and not any settings that a user would set on his/her computer.)

    Thanks,


    Debbie

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    You can tell the browser not to cache pages if you want. Here is a discussion about it:

    http://www.sitepoint.com/forums/show...ated&p=4753771

  3. #3
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Why would you want to stop caching...and why is this in Web Security?
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  4. #4
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,448
    Mentioned
    274 Post(s)
    Tagged
    5 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Why would you want to stop caching...and why is this in Web Security?
    Perhaps it follows on from this discussion: http://www.sitepoint.com/forums/show...ng-Cache-Flush
    Don't serve your porridge and then go out for a walk.

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Why would you want to stop caching...and why is this in Web Security?
    I am working on a project that deals with Online Testing.

    My client pays current and retired school teachers to write Test Questions/Answers for a Test-Bank. Any breach of that content would obviously be catastrophic!!

    The Test Writers log into my client's web application over a secure connection, and write the Test Materials, which are saved on the server. Once the Test Questions/Answers have been approved, the Test Writer will never be able to see them again.

    However, the fear is that a person writing Test Questions/Answers might be working on their Home Computer or a School Computer, and that either their own kids, or their students could easily get access to the Test Materials if the browser were caching (i.e. saving) the Test Pages and Test Images.

    Questions/Answers are usually in "Text" format, but there are many cases where they could be in an "Image" format as well (e.g. Mathematical Formulas, Illustrations, Maps, Diagrams, etc).

    So, if the Test Writer's computer or browser is somehow saving permanent copies of the Web Pages or Web Images, then that would be a data breach.

    Now, I understand the concept that anything you see on the Internet needs to be downloaded onto your computer for viewing - unless it is streaming audio/video. However, I believe there may be ways to make sure that your Operating System or Browser isn't caching hundreds of pages that could be easily retrieved.

    For example, not too long ago on Windows you could surf around your C: drive and find copies of old Web Pages and Web Images quite easily. (In fact, this is why I refuse to do Online Banking, because I did a quick test on my old Windows XP machine, and found images of all the cancelled checks?!)

    The debate at work is really centered more around the belief - which I believe is false - that if we use Internet Explorer that all of these issues go away?!

    I'm no expert, but my understanding is that *IF* anything can be done to stop caching/saving of Web Pages and Web Images, then you should be able to do it for *any* Browser and Operating System.

    (Note, performance isn't an issue here, so if the Web page/Images have to be reloaded every time they are accessed, no big deal.)

    BTW, my client assumes that the Test Writers are trustworthy people who are not copying/saving content on their own. (Obviously nothing can prevent that!)

    What they are just more concerned about is an un-technically savvy school-teacher hanging his/herself!!

    Hope that makes more sense?!


    Debbie

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,680
    Mentioned
    20 Post(s)
    Tagged
    3 Thread(s)
    DD,

    That sounds more like a History question. If I remember correctly, there are ways to eliminate - or prevent - pages from being logged to a browser's history but I'll let you search for them. Because it appears to be a browser-centric question, you will likely have to research each one.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    DD,

    That sounds more like a History question. If I remember correctly, there are ways to eliminate - or prevent - pages from being logged to a browser's history but I'll let you search for them. Because it appears to be a browser-centric question, you will likely have to research each one.

    Regards,

    DK
    Does anyone else agree with this?


    Debbie

  8. #8
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Does anyone else agree with this?


    Debbie
    If by history, they mean the browser file cache, yes. If they mean the list of recently visited websites, then no.


    It's a cache issue. Browsers cache HTML,CSS, JavaScript, images, etc, in a folder on your computer, so they don't have to download them a second time, when you refresh the page, unless the files have changed, then they fetch them again. Depending on last modified headers, etc.

    As others have suggested, you can send headers to tell the browser not to cache the files.
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.

  9. #9
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Quote Originally Posted by dklynn View Post
    DD,

    That sounds more like a History question. If I remember correctly, there are ways to eliminate - or prevent - pages from being logged to a browser's history but I'll let you search for them. Because it appears to be a browser-centric question, you will likely have to research each one.

    Regards,

    DK
    Does anyone else agree with this?


    Debbie
    Yes.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  10. #10
    SitePoint Member
    Join Date
    Oct 2012
    Location
    4331 Horner Street Youngstown
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The original question was about the content storage, if I understand correctly.
    There is a small technical problem: webmasters commonly used "non-chache" directive while the browser is still able to store the data.

  11. #11
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Austin80ss View Post
    The original question was about the content storage, if I understand correctly.
    There is a small technical problem: webmasters commonly used "non-chache" directive while the browser is still able to store the data.
    I was asking about either Images or Content being stored on the end user's computer, and thus causing a security risk.


    Debbie

  12. #12
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    The debate at work is really centered more around the belief - which I believe is false - that if we use Internet Explorer that all of these issues go away?!


    If there is any browser that caches stuff for way to long, it's IE. I've had instances where just clearing the history and restarting the browser wasn't enough, I had to restart the computer completely to rid of IE's cache. This was in ye olden IE6 days mind you, but still.

    Anyway, sending Cache-Control headers with the values no-cache, no-store and private (see http://palizine.plynt.com/issues/200...ol-attributes/) for both the document as well as for all the images should do the trick.

    And if at all possible, serve over SSL. Most browsers are hesitant to cache anything they download over an SSL connection.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  13. #13
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post


    If there is any browser that caches stuff for way to long, it's IE. I've had instances where just clearing the history and restarting the browser wasn't enough, I had to restart the computer completely to rid of IE's cache. This was in ye olden IE6 days mind you, but still.
    I agree.


    Anyway, sending Cache-Control headers with the values no-cache, no-store and private (see http://palizine.plynt.com/issues/200...ol-attributes/) for both the document as well as for all the images should do the trick.
    But isn't that easy to over-ride?

    I mean, couldn't a browser ignore all of that?

    And couldn't how a user has his/her browser set up, also over-ride those?

    And, couldn't a user manually over-ride those?


    And if at all possible, serve over SSL. Most browsers are hesitant to cache anything they download over an SSL connection.
    Now that is a very good point!! (I think that is something they could do and would support.)

    -------
    BTW, backing up for a moment, does my original post make sense about what they are concerned about?

    And from a business perspective, just how effective can they be in trying to prevent test material from leaking out? (I guess I see this analogous to banking online from home - or even worse from wok or a public computer - and wanting to make sure that nothing you did or saw ended up stored in an unsecured location. For example, copies of cancelled checks, copies of bank statements, any content that might include personal or banking information, etc.)

    Thanks,


    Debbie

  14. #14
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,872
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    And from a business perspective, just how effective can they be in trying to prevent test material from leaking out? (I guess I see this analogous to banking online from home - or even worse from wok or a public computer - and wanting to make sure that nothing you did or saw ended up stored in an unsecured location. For example, copies of cancelled checks, copies of bank statements, any content that might include personal or banking information, etc.)
    Those are actually exact opposite situations since with online banking etc you are at the computer where the files are cached and can therefore tell the browser to clear the cache and no one can prevent it. With the situation you are looking at it is the server trying to prevent caching and the person sitting in front of the browser who has the ability if they know how to override whatever you do and cache the files anyway. As with anything sent to the browser the person using the browser has control.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  15. #15
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    But isn't that easy to over-ride?
    Possible, yes. Easy, no.

    Quote Originally Posted by DoubleDee View Post
    I mean, couldn't a browser ignore all of that?
    Yes, those headers are only suggestions. A browser can just ignore all of them if they want.

    Quote Originally Posted by DoubleDee View Post
    And couldn't how a user has his/her browser set up, also over-ride those?
    I can't remember ever seeing settings in a browser for this.

    Quote Originally Posted by DoubleDee View Post
    And, couldn't a user manually over-ride those?
    An advanced user could side-jack his own connection (if it's not SSL) and change those values, or write a browser extension to change it, yes, but is by no means within the realm of possibilities of the average internet user.


    Also, with regards to the images, if you don't show them back to the user after they've uploaded them they will not be stored in the cache, because they've never been downloaded. The bigger problem here is that the image is still on the computer, because that's where it's uploaded from.

    This sounds to me like a situation where you can give it your very best to prevent caching, but you can never 100% it.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  16. #16
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    Also, with regards to the images, if you don't show them back to the user after they've uploaded them they will not be stored in the cache, because they've never been downloaded. The bigger problem here is that the image is still on the computer, because that's where it's uploaded from.

    This sounds to me like a situation where you can give it your very best to prevent caching, but you can never 100% it.
    I'm not sure what you are saying here, and think you may be misunderstanding me about images.

    While there could be someone who uploads an image for the test, I don't believe that would be common, since I am pretty sure all of the graphic design stuff happens in house.

    However, the person writes the test questions and answers, or the person who approves what the author wrote, would need to see the image, thus it would be downloaded.

    For example, let's say there is a math question about a triangle, and along with the test question and answer, there is an image of a right triangle with the length of one side and the two acute angles also noted in the image.

    The fear is that the autor or lead who approves things, might be doing so from school or at home, and if an unauthorized person got a hold of the cached webpages/images, then that image or a right triangle might clue them in on how the test is written, or on what a possible question might be.

    It could be something even more specific, like a custom map of the U.S. showing certain features (e.g. former territory borders, natural resources, etc.) that could be used on several tests, and again, by having a copy f that image, people could use it to cheat or at least be really prepared for the tests.

    I know you have to let viewers of the webpage download the image to view it, but the fear is that the image persists on the user's computer long after they have accessed the image.

    For example, an author has permissions on the server side to view a question while it is being authored, but as soon as the lead approves the question and answer as "valid", then that author - who is usually a hired consultant - will never have access to the question again, because for what they are being paid to do, they have no need to go back and see it.

    So is Jane Doe writes a test question and answer with an image to support things, then after her test question/answer/image are approved, she shouldn't be seeing it on her computer, which could be at work, at school - if she is a teacher by day - or at home with possibly tons of kids!!

    If the content of the test question or answer, or the image get stored on ANYONE'S computer, whether through webpages being stored in temporary locations, or image caching, or something the browser does to temporarily store things, or something the operating system does to temporary store things, then that Test Question/Answer/Image have in essence been "breached"...

    Hope that makes sense.

    Not sure how that changes your response one the image part?!

    Thanks,



    Debbie

  17. #17
    ¬.¬ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I'm going to be honest here. I think you are over thinking the scenarios and making this a lot more complicated then it needs to be. Simplicity is a beautiful thing. The fact of the matter is, having a single image would not compromise a test, having taken quite a bit of test myself. Having part of an image to a math problem is not going to give anything away. Now unless the answer itself was an image? Maybe. Also you brought up a teacher at home with a bunch of kids...who probably won't even be taking the test in the first place? And if they were, I'm sure their mother being a teacher and all will understand the "keep the answers a secret" type thing. As for school computers, the chance of a student have prolong unsupervised access to a teachers account, while not unheard of, snooping in the browsers cache is not a activity I would see them doing. Looking into the cache is not something people thing about.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  18. #18
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,934
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    I'm going to be honest here. I think you are over thinking the scenarios and making this a lot more complicated then it needs to be. Simplicity is a beautiful thing. The fact of the matter is, having a single image would not compromise a test, having taken quite a bit of test myself. Having part of an image to a math problem is not going to give anything away. Now unless the answer itself was an image? Maybe. Also you brought up a teacher at home with a bunch of kids...who probably won't even be taking the test in the first place? And if they were, I'm sure their mother being a teacher and all will understand the "keep the answers a secret" type thing. As for school computers, the chance of a student have prolong unsupervised access to a teachers account, while not unheard of, snooping in the browsers cache is not a activity I would see them doing. Looking into the cache is not something people thing about.
    A few comments...

    1.) I am just researching things for work, and relaying what the concerns are.

    2.) As a technical person, I am trying to get to the "truth" about what can and cannot be done with the technology (e.g. browser caching, etc.)

    3.) These tests go out to MILLIONS of students, so to imply "I'm over-thinking this" or "It's not that big of a risk" would be wrong!!


    ScallioXTX's link and suggestion to use HTTPS seems like the best advice so far, but I welcome more thoughts.

    Thanks,


    Debbie

  19. #19
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Not sure how that changes your response one the image part?!
    Yup, I thought the test creators needed to upload images, but apparently they don't. Not sure where those images come from them but I'm sure you've got something for that
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •