RE: [security-services] Preventing Caching

[Scott Cantor <cantor.2@osu.edu>]

Thanks, this is very helpful. Note though that it mainly deals with proxy
caches or shared cached, and we are also somewhat concerned about client
caches, which are quite different.

> Naturally it is intended to deal primarily with the most 
> common case of Browser to Server HTML content using HTTP GET Req/Resp.
> 
> 1. Note that only responses are cached.
> 2. SSL/TLS traffic is not cached.

Client caches will indeed cache SSL pages if told to.

> 3. Traffic with auth headers or cookies are usually not cached.
> 4. Post responses are not cached.

Likewise, this isn't true of browsers.

> For these reasons, a SOAP message sent over HTTP with a POST 
> method is unlikely to be cached even if no special steps are 
> taken to supress caching. Obviously a SAML Assertion carried 
> in a POST message will never be cached.

Not one sent to a server, but the assertion sent to the browser during SSO
can be, so that's the consideration we also have to take into account in the
non-SOAP bindings.

> On the principle of using belt and suspenders, SAML nodes 
> SHOULD do the following:

I'll incorporate this information into the bindings, thanks again.

-- Scott