I am a relativly new user of Drupal, and to begin with i really enjoyed its simplistic yet oh-so-powerful architecture, and i would extremly like to use it for sometime to come. However, theres one SERIOUS flaw/bug: THERE IS NO CACHE CONTROL that can prevent browsers / proxy servers from caching content. I have ALLREADY rendered 2 of my domains unusable (for sometime to come, anyway) due to the proxy server (which my ISP forces me though for all internatuion traffic) caching the pages... including when i logged in as ADMIN.
So now anyone who is on the same ISP (300K users) and desides to view my site can do ANYTHING (well or allmost anything) with it - providing thereś a cached copy of that pages on the proxy. Initially i was not aware of the flaw since i did most of the development on my home dev machine, and had no proxy servers in the equation, then i blindly transferred the resultant DB and files onto my webhostś server and did some fine tuning (that involved me looking though most of the admin pages while being logged in as admin). Days later i have opened my site from my friends computer who was still connected by the same ISP and despite the fact that he has never logged onto my site as admin (nor did he even ever opened it) i WAS ABLE TO DO SOME OF THE ADMIN stuff without having to log in.
Please help, this issue needs to be addressed immediatly as it is evident that there is a huge security risk involved.
Kind regards,
Nick Goloborodko
P.S. i am not able to use SSL to prevent this type of caching, since my webhost doesn support it.
Comments
interesting...
Hi Nick,
I stand corrected, but, I'm not so sure it is a cache issue or a security issue with drupal Nick.........more a cookie and ergonomics issue...i.e. when someone clicks into the drupal site...the logged in/not logged in details are stored in a cookie, not in the cache.
So unless the person Logs out and closes the session, drupal will remember that login through a cookie the next time that computer goes back to the drupal site.
Similar I suppose to the way that most login/logout systems work on the internet...i.e. not unlike the big ones like yahoo or hotmail that asks you to "remember me" when you're logging in..and advises you if you're on a public computer/internet cafe/etc to not remember your login.
As far as I know, you can control cache in the ADMINISTER - SITE SETTINGS page....check out the handbook...
http://drupal.org/node/15367
If some of your users are logging in from an internet cafe or other...it might be an idea to have a big red warning to tell them to ensure they LOG OUT when they are finished what they are doing.
Hope that helps...
Dub
DUBLIN DRUPALLER
___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.
Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate
PHPSESSION in URL?
In the "cached" copies that you're seeing, does the PHPSESSION parameter appear in the url?
Dub, cookies are only used if they are enabled, and Drupal has some quirks here as well. Even though I have cookies enabled, I often get a PHPSESSION in the url parameters.
As for cache control, if you're talking about HTML directives, you can write those into your template theme in the header and that should take care of it.
- Robert Douglass
-----
www.robshouse.net
www.webs4.com
PHPsession stuff..
Hi Robert,
Nope..I'm not seeing the phpsession stuff....I used to when I first installed drupal...but it has been discussed at length on here and there's a toggle you can put into .htaccess that stops it...
Check out the following post by Steven:
http://drupal.org/node/15453#comment-25081
Thanks for the tip about the html directives, Rob, but, I'm not having the hassles...I just saw Nicks post and the words "critical", "security issues", "major flaws" etc. and thought I would offer my two cents....I'm not so sure if it is as critical/urgent as Nick thinks..
Anyway..as I say, I stand corrected.
Dub
DUBLIN DRUPALLER
___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.
Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate
Thanks for the lead on htaccess
I hadn't seen that thread.
- Robert Douglass
-----
www.robshouse.net
www.webs4.com
search needs improving..
HI Robert,
No worries..
Must admit, I know the search.module is in development..but, I think the forum maybe re-structured slightly to force people when posting topics what module their question is related to....or having a snippets branch/forum associated with each part of drupal...
as an example...a dropdown menu could appear as an option when posting a question on here which lists keywords, populated from previous posts, that would categorise it...
I'm not sure if that is workable or even makes sense, but, I'm finding myself more and more using google to search on here rather than the built in search.
Dub
DUBLIN DRUPALLER
___________________________________________________
A drupal user by chance and a dubliner by sheer luck.
Using Drupal to help build Artist & Band web communities.
Currently in Switzerland working as an Application Developer with UBS Investment Bank...using Drupal 7 and lots of swiss chocolate
hehe - another lost thread
http://drupal.org/node/10134
- Robert Douglass
-----
www.robshouse.net
www.webs4.com
descriptive titles
please title your post so that it describes the content properly. this helps people find the information they need when they search the site. titles should not be constructed so as to gain attention to your issue.
Timeout possible?
It would be nice to establish a timeout to invalidate sessions after a period (lets say 30 minutes) defined in the admin settings? Is this easy/possible to do in drupal?
Thanks for your help