R – secure browser cache

browsercachinggoogle-gearsprivacysecurity

Note: this is a different problem to https – it's related to privacy security

I'm trying to figure out if there's a way to take load off our server [cache] by pushing information to the browser. Is there any technology that will provide secure caching that is bound to a session?

We have privacy-sensitive data that's often used, but will not change much. Re-requesting updates from the server/database all the time will reduce the sensitivity.

The solution cannot rely on any page being held open the entire time (e.g. no framesets). Navigation away from a page (or opening a new tab) is allowed.

Does Google Gears fit here? I can't find any way of tying the cache to the session.

The problem domain is cafe/shared machine login with multiple web app users. e.g. when the session expires, or the user logs off, there should be no cached data anywhere.
While they are logged on, I presume that nobody will else have physical access to the computer.

See also Can HTML5 sessionStorage be written to disk?

Best Solution

You'll have HTML5.0 with local database-like features. However what do you mean by secure? HTML5.0 will be secure against cross-site issues, but the user will still have full access to the data, I don't think encryption is required.

Google gears does fit, but its not a standard while HTML5.0 is, Safari supports 5.0, and I guess Opera and Firefox will too by mid 2009, if they don't already. Explorer, probably will have some buggy implementation so they can force developers to use Silverlight.

Edit: Stephen, I see you need to destroy the cache after they leave, of course unless their machine has a proximity sensor this won't be possible :) But you could have your Javascript delete everything when they Logoff for example.

Link to HTML5.0 specs,

Link to HTML5.0 Cache specs

Link to HTML5.0 session storage specs (By popular request :)