I’ve got some things in my mind, I thought I’d ask the veterans here. I’m creating a website using Razor syntax and WebMatrix. I’m currently implementing a user login system into it. So my questions are:
-
In WebSecurity, when a token is generated (for creating new account, or recovering password, etc.), is this token a public key? Can it be safely emailed to the user over unsecured network or email. Is it a good practice (or useful) to further encrypt this token?
-
I’ve set my secured pages to not to cache on web browser, i.e. pages which are accessed by user after he signs-in with his password. I think its a necessary action because when a user logs out, I don’t want the user to press the browser’s back button and see the secured pages again. So I set all the secured pages’ expiry as follows:
Response.Expires = -1; Response.Cache.SetNoServerCaching(); Response.Cache.SetAllowResponseInBrowserHistory(false); Response.CacheControl = "no-cache"; Response.Cache.SetNoStore();
My question on above is that if I set my pages to expire immediately, the browser does not cache anything and reloads the page every time user visits it, does it mean that the browser will not even cache the linked style sheets, script files and images? I’ve set my images to preload so that the website’s presentation works smoothly; will the immediate-expiring of webpage cause these images and everything to be loaded all over and over again on each page?
Thanks.
It’s not a “public token”, in the sense that anyone who gets access to that token can use it to reset the user’s password and log in. So it does need to be sent securely, and the reset link should require SSL.
No, the setting of cache expiry on specific pages will not affect the caching of other content. You can set the cache policy/headers of static content using IIS manager, or in the web.config.