Our customer wants an ASP.NET web application with user management and different roles, but has some very strange conditions:
- The application should work from a browser, the users should be able to login and do stuff according to their given rights. (so far so easy)
- The typical scenario would be that many people with different user privileges work from the same machine, same windows account and same browser. (in turns) Still they should not be able to have any access to data that other users have seen or do anything out of their account.
For me this probably means:
- I can’t use any type of caching.
- I can’t use any type of cookies.
- I can’t do anything important over GET parameters.
- I have to be very careful about sessions.
Still I don’t see how I could (with certainty) prevent browser side caching. We tried to explain that this kind of stuff is what windows accounts are for, but he seems to be pretty consistent that he wants to keep it all on one account.
Is this a realistic requirement and what do I have to keep in mind when realising an application with such security requirements?
This has never been an issue with applications I developed before, so I’m not really sure how to handle this.
Yes they are. Online Banking applications typically do this by abandoning their session after a period of inactivity. Also if you close the browser the session should be abandoned. A manual log out is a good idea.
Some other points
Not on the web browswer no, but session caching is fine.
Except for session cookies no
Yep
This is probably always a good idea.