tags:

views:

79

answers:

3
+1  Q: 

Prevent Safari from Caching Top Sites

I have found what I think to be a big security flaw with Safari's Top Sites image cache. For those who don't know, Safari basically takes a snapshot of every page you visit and this is supposed to be somehow useful to the user. My problem with it is that it even takes snapshots of parts of my site that are password protected. So if someone got a hold of one of my user's computers and knew where to look they'd have a whole repository of content that should theoretically be for my user's eyes only.

I tested this "feature" out with other sites and found that sites such as Gmail and hotmail don't get cached. Well, only the hotmail login page gets cached but nothing beyond that, and none of Gmail gets cached at all. So my question is this: What can I do on my end to prevent this from happening? I've already prevented normal caching in FF, IE, Opera, etc. by using 

header('Cache-control: no-store, no-cache')

along with pragma: no-cache, and every other trick in the book to stop a page from being cached. What gives?

A: 

Have you tried appending a random query string?

Headers which should work (all together):

// A really far back date...
header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');

// Dynamic Modified date
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');

// HTTP 1.0 (i think)
header('Pragma: no-cache');

// HTTP 1.1 
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: post-check=0, pre-check=0', false);

EDIT:

Try putting this for some debugging AFTER you send the above headers.

if (headers_sent())
{
   echo '<h1>Headers sent</h1>';
   echo '<pre>';
   var_dump(headers_list());
   echo '</pre>';
}
else
{
   echo '<h1>Headers not sent</h1>';
   echo '<pre>';
   var_dump(headers_list());
   echo '</pre>';  
}

Can you edit your post with the output of the above?

Thanks!

Kieran Allen  2010-07-14 08:37:03
I had the 1st 3rd and 4th statements in my code. I added the other two you suggested but it didn't make a difference :(
vince  2010-07-14 08:46:05
Have you checked what headers are actually being sent from your server? You might have some etags being sent, also make sure you don't have any overwriting .hatccess caching methods. If none of this works can you attach the code where you're sending the headers? What about appending a random number to each "logged in" page, using page.php?cb=<?php echo uniqid(); ?>
Kieran Allen  2010-07-14 09:23:54
OT, but isn't `echo '<pre>'; var_dump(headers_list()); echo '</pre>';` duplicated in your last sample? Could be pulled out of the if and else and be put after instead.
Svish  2010-07-14 09:46:08
not sure how that helps..
Kieran Allen  2010-07-14 13:04:13
A: 

UPDATE: For anyone reading this: This is still an unresolved issue. I even contacted the Safari dev team and they just gave me the run around.

@Kieran Allen

This is the result of the code you asked me to include:

Headers sent

array(7) {
  [0]=>
  string(23) "X-Powered-By: PHP/5.2.2"
  [1]=>
  string(38) "Expires: Mon, 26 Jul 1997 05:00:00 GMT"
  [2]=>
  string(50) "Cache-Control: no-store, no-cache, must-revalidate"
  [3]=>
  string(16) "Pragma: no-cache"
  [4]=>
  string(40) "Cache-Control: post-check=0, pre-check=0"
  [5]=>
  string(44) "Last-Modified: Wed, 14 Jul 2010 09:32:56 GMT"
  [6]=>
  string(23) "Content-type: text/html"
}

My current theory is that Safari disables the snapshot on secure websites using https.

(I know it's not the correct protocol to respond with this as an answer to my question, but when I asked this I was not a registered member. I registered within the last hour though, and thought I would be able to claim this question as my own but alas Stack Overflow does not allow this.)

 2010-07-14 09:40:28
Yeah, could be the HTTPS - I guess your only way around it would be to append a random string on the end of the urls.
Kieran Allen  2010-07-14 13:05:39
I don't think the random string makes a difference... After testing a few more sites I've found that facebook also doesn't get cached (aside from the login page). facebook isn't exactly a secure site so I'm wondering what they are doing to keep this from happening. The same thing goes for myspace.
 2010-07-14 19:14:10
A: 

Sending 2 cache control headers probably is not helping - try merging them. I'd also recommend a 'Vary: Cookie' header as good practice for authenticated pages.

Have you looked at the headers you get from the hotmail and google pages which you say are not cached?

C.

symcbean  2010-07-14 11:06:01

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases