[3487] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Ben Camp)
Thu Nov 7 16:07:14 1996
Date: Thu, 07 Nov 1996 12:12:26 -0600
To: Pierre-Yves Bonnetain <pyb@cadrus.fr>
From: Ben Camp <benc@geocel.com>
Cc: PARIVASH@cc1.unt.edu, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
If you chose so, IE will store the password used HTTP authentication to the
users .PWL file.
At 10:36 AM 11/7/96 +0100, Pierre-Yves Bonnetain wrote:
>>=20
>> I do not think this will work at all since browsers DO memorize the=
password
>> for as long as you are using the browser (until you close the browser --=
but
>> can even be cached in the case of Internet Explorer). Then the browser
>> usually assume anything under the current file/directory is part of the=
same
>> 'realm' which means it automatically transmits the password.
>>=20
>> ie.
>>=20
>> A -+--X
>> |
>> +--Y--+--1
>> |
>> +--2
>>=20
>> So.. if you first hit A then you could access X or Y without reentering a
>> password. If, however you went to Y, you could only access Y, 1, and 2
>> without reentering a password. If you did authenticate with Y, then you
>> would have to reenter the password when you try to access X. You=
certainly
>> will not be reprompted (by default) when you retreive a document from Y.
>>=20
> Not so. It depends in fact on the server protection configuration=
scheme.
>You can protect whole trees (say, from A as above) or part of them (just=
files
>1 and 2). If you have protected from A, the client will (or should, as a=
matter
>of fact) memorize the association server-to-contact/username+password, not
>URL/username+password. So it is irrelevant if the client hits first X or Y
>(for ex., if he jumps directly to the URL that interests him, without going
>through the home page).
> I think the question was rather 'how to avoid someone from getting my=20
>password', not 'how to prevent anyone from using my browser if I am dumb=20
>enough to let it running when I'm away'.
> Is it true IE does cache the password on disk ? Or do I misunderstand=
your
>sentence ?
>--=20
>-+-+ Pierre-Yves BONNETAIN (aka Pyb)
> Consultant Internet/Securite
> B & A Consultants - PROXIMA - Rue des Pyr=E9n=E9es
> 31330 Grenade-Sur-Garonne - FRANCE
> Tel : 0 562.793.261 - Fax : 0 561.824.221
>
>
