A context mechanism for controlling caching of HTTP responses
draft-pettersen-cache-context-06

Document Type Expired Internet-Draft (individual)
Last updated 2012-09-07 (latest revision 2012-03-06)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html
Stream Stream state (No stream defined)
Document shepherd No shepherd assigned
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-pettersen-cache-context-06.txt

Abstract

A common problem for sensitive web services is informing the client, in a reliable fashion, when a password protected resource is no longer valid because the user is logged out of the service. This is, in particular, considered a potential security problem by some sensitive services, such as online banking, when the user navigates the client's history list, which is supposed to display the resource as it was when it was loaded, not as it is the time the user navigates to it. This document presents a method for collecting such sensitive resources into a group, called a "Cache Context", which permits the server to invalidate all the resources belonging in the group either by direct action, or according to some expiration policy. The context can be configured to invalidate not just the resources, but also specific cookies, HTTP authentication credentials and HTTP over TLS session information.

Authors

Yngve Pettersen (yngve@opera.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)