Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Security of self-service (e.g.HR) apps, utilizing Apache

Security of self-service (e.g.HR) apps, utilizing Apache

From: stef <stefmit_at_starband.net>
Date: Fri, 25 Oct 2002 04:08:41 -0800
Message-ID: <F001.004F3825.20021025040841@fatcity.com>


Hi, all,

Sorry for cross-posting this to the list and the forums, but I am in desperate need for some guidance here (I have researched the web for the last 24 hours, almost continuously, to no avail).

My company has recently deployed self-service apps (started with the HR "module"), and we discovered that a problem with utilizing this system, especially in areas where PCs are shared, consists in the ability of users to choose methods as simple as (in MS Explorer, for example): work offline --> then history --> then picking on previously visited pages and looking other people's info, regardless of whether previous users have logged off the application properly, or not

We have found solutions at the browser level (e.g. as we are running SSL - just keeping encrypted pages from being saved, by doing the following in IE: Tools --> Internet Options ... --> Advanced --> Security --> Do not save encrypted pages to disk - and even found ways to deploy this via a registry hack through the login script) on how to keep this from happening, but sophisticated users will always undo those changes, aside from the administrative nightmare such solutions would require across multi-thousand multi-country PCs (thus browsers) deployment.

As we are running Apache at the server end, I was wondering if anyone would have a good recommendation for forcing the "non-caching"/"non-history keeping" of such pages. I am aware of the possibility of utilizing Metatags and/or Pragmas (e.g. expiration forced, etc.) in "static HTML", but this won't work properly in the environment of dynamically created pages as in the self-service apps of Oracle ... so - has anybody ever run across this problem
(I would see as a basic security requirement, but couldn't find any docs
discussing it). How did you address it?

TIA,
Stef

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: stef
  INET: stefmit_at_starband.net

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L

(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
Received on Fri Oct 25 2002 - 07:08:41 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US