[3481] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Pierre-Yves Bonnetain)
Thu Nov 7 10:24:10 1996
Date: Thu, 7 Nov 1996 10:36:33 +0100
From: Pierre-Yves Bonnetain <pyb@cadrus.fr>
To: benc@geocel.com
CC: PARIVASH@cc1.unt.edu, www-security@ns2.rutgers.edu
In-reply-to: <2.2.32.19961106232802.0070b5b0@lithium> (message from Ben Camp
on Wed, 06 Nov 1996 17:28:02 -0600)
Errors-To: owner-www-security@ns2.rutgers.edu
>
> I do not think this will work at all since browsers DO memorize the password
> for as long as you are using the browser (until you close the browser -- but
> can even be cached in the case of Internet Explorer). Then the browser
> usually assume anything under the current file/directory is part of the same
> 'realm' which means it automatically transmits the password.
>
> ie.
>
> A -+--X
> |
> +--Y--+--1
> |
> +--2
>
> So.. if you first hit A then you could access X or Y without reentering a
> password. If, however you went to Y, you could only access Y, 1, and 2
> without reentering a password. If you did authenticate with Y, then you
> would have to reenter the password when you try to access X. You certainly
> will not be reprompted (by default) when you retreive a document from Y.
>
Not so. It depends in fact on the server protection configuration scheme.
You can protect whole trees (say, from A as above) or part of them (just files
1 and 2). If you have protected from A, the client will (or should, as a matter
of fact) memorize the association server-to-contact/username+password, not
URL/username+password. So it is irrelevant if the client hits first X or Y
(for ex., if he jumps directly to the URL that interests him, without going
through the home page).
I think the question was rather 'how to avoid someone from getting my
password', not 'how to prevent anyone from using my browser if I am dumb
enough to let it running when I'm away'.
Is it true IE does cache the password on disk ? Or do I misunderstand your
sentence ?
--
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
Consultant Internet/Securite
B & A Consultants - PROXIMA - Rue des Pyrénées
31330 Grenade-Sur-Garonne - FRANCE
Tel : 0 562.793.261 - Fax : 0 561.824.221
