The Caching Proxy and the ISP Webmail

Last Friday, one of the guys in the department noticed that when he signed into Cox webmail he would access Cox mailboxes belonging to other employees. He was even able to open messages in those accounts.
I went back to my office and created a test account. There is an awful lot of potential confidentiality violations here. Although I never repeated the results I saw on my co-worker’s screen, I did find I would see the cox inbox for other employees when I selected logoff.
We use BlueCoat SG 810-B to provide HTTP/HTTPS security in web browsing. This additionally provides a proxy cache which in theory saves on bandwidth costs. We haven’t had problems previously with Cox Webmail, nor have we had problems with any other webmail or logon based website.
To resolve the problem, I disabled proxy caching on the BlueCoat for webmail.east.cox.net. Immediately the problem went away.
Just to be on the safe side, I checked with my BlueCoat Sales Engineer. He says that cookie based webmail normally works fine as the cookies are non-cacheable by default. Otherwise the webmaster needs to do a better job marking things a non-cacheable. By marking the entire site as non-cacheable I resolved the problem quickly.