Friday, April 6, 2007

Why you should disable dynamic objects caching on your proxy server

If you run a proxy server in your organization, please take note about enabling caching for dynamic objects. Dynamic objects are normally pages that change based on user inputs or is a similar page with different information based on who's logged on etc.

Why you should not enable caching for Dynamic Object?
Because, there's a chance that certain logged on pages like say for example, sites like myspace, blogger (this) can be cached and the results, when someone logs in, say for example, i logged in as sanjay@gmail.com to this blogger suddenly i see the blog of my colleague, say, Frank Rovers.

This is not a "vulnerability" per-se, its just that this is how proxies work if you ask proxies to cache dynamic objects and how authentication is "kept-alive" by these sites for convenience purposes.

I actually saw this in our own network and about 3 clients reported this same issue. I must admit this is also a poor implementation of authentication on these sites (including blogger!). Cookies or auth sessions should expire immediately when a person closes his/her browser or moves away to another page, or is idle, etc.

This "issue" can also present in cybercafes that enable proxies so, be careful especially in public places like these when logging on to these sites. For now, i've seen blogger.com and myspace.com loading multiple profiles of other people when i am suppose to see my own.

So, again, if you run proxies in a large organization, protect people's privacy and do disable dynamic caching all together.

PS> I am blogging this via our corporate proxy but we've disabled dynamic objects caching :)

No comments: