J
Just D.
All,
Did anybody see this strange effect? The web application is written in C#,
ASP.NET, SQL, T-SQL, etc. A pretty usual stuff, complicated enough, but
works fine until...
Here is a question. I don't see any problem if I start this app on my local
computer against my local IE both in debug or release modes. If I upload the
same app to my corporate server where it works under HTTPS here are a few
possible ways.
1. It works just great if the Advanced Internet option "Do not save
encrypted pages to disk" is checked on.
2. If I uncheck this option then it still works if I run it on my local IIS
against my local IE,
3. ... but if I run this app against my corporate server with my local IE
then here is a very interesting bug. I'm able to login as one client using
his login/password, then I can click the Backspace button, get the login
page again, enter another login/password, then click OK and get the page
belonging to the first patient like it was already stored in some buffer and
returned back to me. All pages and the whole app are configured to ignore
the cache, all aspx pages are having this tag:
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
No results at all! What's going on? Is the operating system too stupid to
cache pages inside one session and ignore all settings made right in the
program code? It doesn't happen if I call new pages one by one, the app is
written so that it generates a new URL every time when it's called
especially to prevent any type of caching, any type of caching is excluded
to protect the privacy, but I can do nothing to the return back feature.
This bug kills the whole security. Why IIS is so crazy to return the page
from some cache in place of a new calculated page according to the new
combination login/password? Any ideas how to avoid this issue? The operating
system on the server is Windows 2000 Advanced Server. My local system where
this issue doesn't appear is Windows XP Pro. If I connect to the remote
server ragardless of the machine and/or operating system I'm receiving this
issue. But why? If I check the option mentioned above in - "Do no save
encrypted pages to disk" it works great. A new M$ hole or something?
I also see in debugger that if I click the Backspace button the previous
page "supposes" that there were no a postback and executes a short schema
skipping the if (!IsPostBack){}. Maybe I should play with it closer? Did
anybody see this kind of issues and what was the solution?
Just D.
Did anybody see this strange effect? The web application is written in C#,
ASP.NET, SQL, T-SQL, etc. A pretty usual stuff, complicated enough, but
works fine until...
Here is a question. I don't see any problem if I start this app on my local
computer against my local IE both in debug or release modes. If I upload the
same app to my corporate server where it works under HTTPS here are a few
possible ways.
1. It works just great if the Advanced Internet option "Do not save
encrypted pages to disk" is checked on.
2. If I uncheck this option then it still works if I run it on my local IIS
against my local IE,
3. ... but if I run this app against my corporate server with my local IE
then here is a very interesting bug. I'm able to login as one client using
his login/password, then I can click the Backspace button, get the login
page again, enter another login/password, then click OK and get the page
belonging to the first patient like it was already stored in some buffer and
returned back to me. All pages and the whole app are configured to ignore
the cache, all aspx pages are having this tag:
<meta http-equiv="CACHE-CONTROL" content="NO-CACHE">
No results at all! What's going on? Is the operating system too stupid to
cache pages inside one session and ignore all settings made right in the
program code? It doesn't happen if I call new pages one by one, the app is
written so that it generates a new URL every time when it's called
especially to prevent any type of caching, any type of caching is excluded
to protect the privacy, but I can do nothing to the return back feature.
This bug kills the whole security. Why IIS is so crazy to return the page
from some cache in place of a new calculated page according to the new
combination login/password? Any ideas how to avoid this issue? The operating
system on the server is Windows 2000 Advanced Server. My local system where
this issue doesn't appear is Windows XP Pro. If I connect to the remote
server ragardless of the machine and/or operating system I'm receiving this
issue. But why? If I check the option mentioned above in - "Do no save
encrypted pages to disk" it works great. A new M$ hole or something?
I also see in debugger that if I click the Backspace button the previous
page "supposes" that there were no a postback and executes a short schema
skipping the if (!IsPostBack){}. Maybe I should play with it closer? Did
anybody see this kind of issues and what was the solution?
Just D.