[3492] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (David W. Morris)
Fri Nov 8 03:29:59 1996
Date: Thu, 7 Nov 1996 22:37:27 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19961106232802.0070b5b0@lithium>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 6 Nov 1996, Ben Camp wrote:
> I do not think this will work at all since browsers DO memorize the password
> for as long as you are using the browser (until you close the browser -- but
> can even be cached in the case of Internet Explorer). Then the browser
> usually assume anything under the current file/directory is part of the same
> 'realm' which means it automatically transmits the password.
>
> ie.
>
> A -+--X
> |
> +--Y--+--1
> |
> +--2
>
> So.. if you first hit A then you could access X or Y without reentering a
> password. If, however you went to Y, you could only access Y, 1, and 2
> without reentering a password. If you did authenticate with Y, then you
> would have to reenter the password when you try to access X. You certainly
> will not be reprompted (by default) when you retreive a document from Y.
Well almost ... except that the reprompt will happen under the covers.
The browser makes no assumptions about the realm in Ben's parent tree
case so it doesn't automatically send the PW. But the server sends
the same realm in the challenge and the browser 'says to itself' "Oh,
I know that realm" and sends the memorized password.
To complicate things .. Internet Explorer behavior differs by version and
by whether on not the update is applied to IE 3.0.
Dave Morris
