Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Security of self-service (e.g.HR) apps, utilizing Apache

Security of self-service (e.g.HR) apps, utilizing Apache

From: stef <stefmit_at_starband.net>
Date: Fri, 25 Oct 2002 04:08:41 -0800
Message-ID: <F001.004F3825.20021025040841@fatcity.com> 





Hi, all,



Sorry for cross-posting this to the list and the forums, but I am in 
desperate need for some guidance here (I have researched the web for the last 
24 hours, almost continuously, to no avail).



My company has recently deployed self-service apps (started with the HR 
"module"), and we discovered that a problem with utilizing this system, 
especially in areas where PCs are shared, consists in the ability of users to 
choose methods as simple as (in MS Explorer, for example): work offline --> 
then history --> then picking on previously visited pages and looking other 
people's info, regardless of whether previous users have logged off the 
application properly, or not



We have found solutions at the browser level (e.g. as we are running SSL - 
just keeping encrypted pages from being saved, by doing the following in IE: 
Tools --> Internet Options ... --> Advanced --> Security --> Do not save 
encrypted pages to disk - and even found ways to deploy this via a registry 
hack through the login script) on how to keep this from happening, but 
sophisticated users will always undo those changes, aside from the 
administrative nightmare such solutions would require across multi-thousand 
multi-country PCs (thus browsers) deployment.



As we are running Apache at the server end, I was wondering if anyone would 
have a good recommendation for forcing the "non-caching"/"non-history 
keeping" of such pages. I am aware of the possibility of utilizing Metatags 
and/or Pragmas (e.g. expiration forced, etc.) in "static HTML", but this 
won't work properly in the environment of dynamically created pages as in the 
self-service apps of Oracle ... so - has anybody ever run across this problem 


(I would see as a basic security requirement, but couldn't find any docs 

discussing it). How did you address it?



TIA,



Stef

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: stef
  INET: stefmit_at_starband.net

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).


Received on Fri Oct 25 2002 - 07:08:41 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US