Proxy server cache is dangerous for private data?
Asked Answered
L

1

7

Suppose I have a asp.net mvc 3 application with an interface named /getdata, different users connect to the server by my PC client software and get private data using this interface. Different users are identified by their own well-encrypted tokens.enter image description here

Now the problem is ClientA told us he got another user's data. From the log of ClientA we found he got ClientB's (but they don't know each other, they can't share accounts). I looked through the code of my web application but couldn't find any chance to mix their data.

So I wonder can this happen:

(1) ClientB starts a http request to http://mysite.com/getdata, with his token in the http header, via a web proxy.

(2) The web proxy accesses my web server, get ClientB's data.

(3) My web server approves the request and returns ClientB's data, since everything is correct.

(4) ClientB gets his data and correctly displayed

(5) Almost the same time after ClientB get his data, ClientA starts a same request, with ClientA's token in the header.

(6) The web proxy find the url that ClientA requesting is the same as ClientB's, and the result is still in cache, then returns ClientB's data. Then ClientA gets another's data.

In my web app interface, at the very beginning I already set all the response no-cache, max-age=0 and so on to prevent client-side cache. My question is:

  1. Can the scanario in the image happen?

  2. If yes, how can I prevent the web proxy returning cached data? I can't modify the program of the PC client, and web proxy servers are out of my control.

  3. If no, what's the possible reason that A is getting B's data?

Levitan answered 15/1, 2013 at 2:36 Comment(9)
I think cache-control: private might be relevant. See #3492819Eject
@TimMedora: Nice link. But why no-cache doesn't work? My web server told the proxy server not to cache the data, but it doesn't follow. Why will it follow the "private cache" suggestion?Levitan
I couldn't say, but there are some differences: palizine.plynt.com/issues/2008Jul/cache-control-attributesEject
The other thing that comes to mind is how the request is being made. You say the token is "in the header". Is it a cookie, part of a query string, or a custom header you are passing? Some proxies may not be able to deal with anything other than a query string on a GET. Again, speculation on my part.Eject
@TimMedora: It's part of the headers, the key name is "Authorization".Levitan
Hmmm. This answer claims that's how OAuth works, so you would think that a proxy could handle it. I guess the next question is: can you consistently reproduce the behavior? And can you confirm that when bad data is served, the data is coming from the proxy's cache (not the service itself)?Eject
Fighting against caching won't necessarily work in all scenarios. A good resource on caching and how to work with it to avoid issues: mnot.net/cache_docsAche
Don’t let your cookie being cached by accident! - Blog de l'équipe support IIS France -- French IIS Support Team Blog - Site Home - MSDN Blogs blogs.msdn.com/b/friis/archive/2011/08/30/… How about this?Sergius
You can test this out by installing Fiddler (fiddler2.com/fiddler2). A good way to test the multi user case is to use two different browsers for User A and User B e.g. Firefox and Chrome.Copywriter
N
0

Can the scanario in the image happen?

Yes, this is possible if the clients are using the GET verb to access the /getdata endpoint.

If yes, how can I prevent the web proxy returning cached data? I can't modify the program of the PC client, and web proxy servers are out of my control.

Decorate the controller action that is serving the GetData endpoint with a [NoCache] attribute to ensure that no data gets cached downstream.

Novella answered 18/1, 2013 at 8:49 Comment(5)
My web api marks the response "cache: private; max-age=0", and from RFC, "max-age=0" tells the client not to cache it, am I correct?Levitan
Yes, you are correct. Then the problem is not related to a caching issue but probably a server side problem.Novella
You mean the proxy server right? It's out of my control. It caches the data that I told it not to cache. I think maybe the only one possible solution is, add timespan parameter in new version PC clients' requests to make requests different, prevent the proxy's cache.Levitan
No, I don't mean the proxy server. I mean the application code that is running on your web server.Novella
What's wrong with the code? I have all responses "max-age=0", but the data is still cached. According to RFC, "max-age=0" means "NoCache".Levitan

© 2022 - 2024 — McMap. All rights reserved.