[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Preventing Caching
Thanks, this is very helpful. Note though that it mainly deals with proxy caches or shared cached, and we are also somewhat concerned about client caches, which are quite different. > Naturally it is intended to deal primarily with the most > common case of Browser to Server HTML content using HTTP GET Req/Resp. > > 1. Note that only responses are cached. > 2. SSL/TLS traffic is not cached. Client caches will indeed cache SSL pages if told to. > 3. Traffic with auth headers or cookies are usually not cached. > 4. Post responses are not cached. Likewise, this isn't true of browsers. > For these reasons, a SOAP message sent over HTTP with a POST > method is unlikely to be cached even if no special steps are > taken to supress caching. Obviously a SAML Assertion carried > in a POST message will never be cached. Not one sent to a server, but the assertion sent to the browser during SSO can be, so that's the consideration we also have to take into account in the non-SOAP bindings. > On the principle of using belt and suspenders, SAML nodes > SHOULD do the following: I'll incorporate this information into the bindings, thanks again. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]