Hide Forgot
I logged into the application, and viewed a orgs detail in the browes. I then logged out, and did the same task again. Before expaning tupane, I turned on captureing hte headers. Below is the results I believe that an id (either session or protect from forgery) is being appended to some of the calls. Search for_=1318518620113. This string is different for each login, and therefore defeats any caching. https://katello2/katello/organizations/ACME_Corporation/edit GET /katello/organizations/ACME_Corporation/edit HTTP/1.1 Host: katello2 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Fedora/3.6.23-1.fc14 Firefox/3.6.23 Accept: text/html, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-CSRF-Token: SAlIQt4erR0eAhThkRRnfhcnKHSpMbTHr0aT3fUm/9c= X-Requested-With: XMLHttpRequest Referer: https://katello2/katello/organizations Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b If-None-Match: "b889e65fdbc7a61dfa091698e8af4e54" HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 15:33:00 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Etag: "07f00833b9141e2a1ab185eb219ebf6d" x-ua-compatible: IE=Edge,chrome=1 X-Runtime: 0.047929 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b; path=/; HttpOnly Connection: close Transfer-Encoding: chunked ---------------------------------------------------------- https://katello2/katello/assets/scroll_pane.js?1318344297&_=1318518620113 GET /katello/assets/scroll_pane.js?1318344297&_=1318518620113 HTTP/1.1 Host: katello2 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Fedora/3.6.23-1.fc14 Firefox/3.6.23 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-CSRF-Token: SAlIQt4erR0eAhThkRRnfhcnKHSpMbTHr0aT3fUm/9c= X-Requested-With: XMLHttpRequest Referer: https://katello2/katello/organizations Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 15:33:00 GMT Server: Apache/2.2.21 (Fedora) Last-Modified: Tue, 11 Oct 2011 14:44:57 GMT Etag: "4b36-61-4af06f383ac40" Accept-Ranges: bytes Content-Length: 97 Connection: close Content-Type: application/javascript ---------------------------------------------------------- https://katello2/katello/assets/edit_helpers.js?1318344297&_=1318518620553 GET /katello/assets/edit_helpers.js?1318344297&_=1318518620553 HTTP/1.1 Host: katello2 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Fedora/3.6.23-1.fc14 Firefox/3.6.23 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-CSRF-Token: SAlIQt4erR0eAhThkRRnfhcnKHSpMbTHr0aT3fUm/9c= X-Requested-With: XMLHttpRequest Referer: https://katello2/katello/organizations Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 15:33:01 GMT Server: Apache/2.2.21 (Fedora) Last-Modified: Tue, 11 Oct 2011 14:44:57 GMT Etag: "4aee-8a8-4af06f383ac40" Accept-Ranges: bytes Content-Length: 2216 Connection: close Content-Type: application/javascript ---------------------------------------------------------- https://katello2/katello/notices/get_new?_=1318518734612 GET /katello/notices/get_new?_=1318518734612 HTTP/1.1 Host: katello2 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Fedora/3.6.23-1.fc14 Firefox/3.6.23 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-CSRF-Token: SAlIQt4erR0eAhThkRRnfhcnKHSpMbTHr0aT3fUm/9c= X-Requested-With: XMLHttpRequest Referer: https://katello2/katello/organizations Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 15:34:55 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Etag: "b76ae91c0122a373382253301cf78802" x-ua-compatible: IE=Edge,chrome=1 X-Runtime: 0.011327 Content-Type: application/json; charset=utf-8 Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b; path=/; HttpOnly Connection: close Transfer-Encoding: chunked ---------------------------------------------------------- https://katello2/katello/notices/get_new?_=1318518854729 GET /katello/notices/get_new?_=1318518854729 HTTP/1.1 Host: katello2 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110927 Fedora/3.6.23-1.fc14 Firefox/3.6.23 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-CSRF-Token: SAlIQt4erR0eAhThkRRnfhcnKHSpMbTHr0aT3fUm/9c= If-None-Match: "b76ae91c0122a373382253301cf78802" X-Requested-With: XMLHttpRequest Referer: https://katello2/katello/organizations Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b HTTP/1.1 304 Not Modified Date: Thu, 13 Oct 2011 15:36:55 GMT Server: thin 1.2.11 codename Bat-Shit Crazy Connection: close Etag: "b76ae91c0122a373382253301cf78802" Cache-Control: max-age=0, private, must-revalidate Set-Cookie: _src_session=BAh7CSIQX2NzcmZfdG9rZW4iMVNBbElRdDRlclIwZUFoVGhrUlJuZmhjbktIU3BNYlRIcjBhVDNmVW0vOWM9IhxjdXJyZW50X29yZ2FuaXphdGlvbl9pZGkGIg9zZXNzaW9uX2lkIiUzMWQwZjdlYTZmZWVjYmU5YWFkM2E0YTRlNGExNTJhNiIZd2FyZGVuLnVzZXIudXNlci5rZXlpBg%3D%3D--6e98bdb2b71cc3b07bab6f7ae901035e1d2cac8b; path=/; HttpOnly
I tried this myself and across multiple login/logouts, the same file had the same signature. While this signature can vary between individual files themselves, it was the same between sessions for static assets.
getting rid of 6.0.0 version since that doesn't exist