7

Suppose I have a asp.net mvc 3 application with an interface named /getdata, different users connect to the server by my PC client software and get private data using this interface. Different users are identified by their own well-encrypted tokens.enter image description here

Now the problem is ClientA told us he got another user's data. From the log of ClientA we found he got ClientB's (but they don't know each other, they can't share accounts). I looked through the code of my web application but couldn't find any chance to mix their data.

So I wonder can this happen:

(1) ClientB starts a http request to http://mysite.com/getdata, with his token in the http header, via a web proxy.

(2) The web proxy accesses my web server, get ClientB's data.

(3) My web server approves the request and returns ClientB's data, since everything is correct.

(4) ClientB gets his data and correctly displayed

(5) Almost the same time after ClientB get his data, ClientA starts a same request, with ClientA's token in the header.

(6) The web proxy find the url that ClientA requesting is the same as ClientB's, and the result is still in cache, then returns ClientB's data. Then ClientA gets another's data.

In my web app interface, at the very beginning I already set all the response no-cache, max-age=0 and so on to prevent client-side cache. My question is:

  1. Can the scanario in the image happen?

  2. If yes, how can I prevent the web proxy returning cached data? I can't modify the program of the PC client, and web proxy servers are out of my control.

  3. If no, what's the possible reason that A is getting B's data?

Cheng Chen
  • 39,413
  • 15
  • 105
  • 159
  • I think `cache-control: private` might be relevant. See http://stackoverflow.com/questions/3492319/private-vs-public-in-cache-control – Tim Medora Jan 15 '13 at 02:42
  • @TimMedora: Nice link. But why no-cache doesn't work? My web server *told* the proxy server not to cache the data, but it doesn't follow. Why will it follow the "private cache" suggestion? – Cheng Chen Jan 15 '13 at 02:44
  • I couldn't say, but there are some differences: http://palizine.plynt.com/issues/2008Jul/cache-control-attributes/ – Tim Medora Jan 15 '13 at 02:49
  • The other thing that comes to mind is how the request is being made. You say the token is "in the header". Is it a cookie, part of a query string, or a custom header you are passing? Some proxies may not be able to deal with anything other than a query string on a GET. Again, speculation on my part. – Tim Medora Jan 15 '13 at 02:53
  • @TimMedora: It's part of the headers, the key name is "Authorization". – Cheng Chen Jan 15 '13 at 02:58
  • Hmmm. [This answer](http://stackoverflow.com/a/8464322/453277) claims that's how OAuth works, so you would think that a proxy could handle it. I guess the next question is: can you consistently reproduce the behavior? And can you confirm that when bad data is served, the data is coming from the proxy's cache (not the service itself)? – Tim Medora Jan 15 '13 at 03:06
  • Fighting against caching won't necessarily work in all scenarios. A good resource on caching and how to work with it to avoid issues: http://www.mnot.net/cache_docs/ – Steve Py Jan 15 '13 at 03:29
  • Don’t let your cookie being cached by accident! - Blog de l'équipe support IIS France -- French IIS Support Team Blog - Site Home - MSDN Blogs http://blogs.msdn.com/b/friis/archive/2011/08/30/don-t-let-your-cookie-being-cached-by-accident.aspx How about this? – takepara Jan 15 '13 at 06:21
  • You can test this out by installing Fiddler (http://www.fiddler2.com/fiddler2/). A good way to test the multi user case is to use two different browsers for User A and User B e.g. Firefox and Chrome. – gls123 Jan 18 '13 at 08:44

1 Answers1

0

Can the scanario in the image happen?

Yes, this is possible if the clients are using the GET verb to access the /getdata endpoint.

If yes, how can I prevent the web proxy returning cached data? I can't modify the program of the PC client, and web proxy servers are out of my control.

Decorate the controller action that is serving the GetData endpoint with a [NoCache] attribute to ensure that no data gets cached downstream.

Community
  • 1
  • 1
Darin Dimitrov
  • 960,118
  • 257
  • 3,196
  • 2,876
  • My web api marks the response "cache: private; max-age=0", and from RFC, "max-age=0" tells the client not to cache it, am I correct? – Cheng Chen Jan 18 '13 at 09:51
  • Yes, you are correct. Then the problem is not related to a caching issue but probably a server side problem. – Darin Dimitrov Jan 18 '13 at 11:47
  • You mean the proxy server right? It's out of my control. It caches the data that I told it not to cache. I think maybe the only one possible solution is, add timespan parameter in new version PC clients' requests to make requests different, prevent the proxy's cache. – Cheng Chen Jan 19 '13 at 05:11
  • No, I don't mean the proxy server. I mean the application code that is running on your web server. – Darin Dimitrov Jan 19 '13 at 14:16
  • What's wrong with the code? I have all responses "max-age=0", but the data is still cached. According to RFC, "max-age=0" means "NoCache". – Cheng Chen Jan 20 '13 at 02:33