[7750] in bugtraq
Re: Webmail.bellsouth.net security problems
daemon@ATHENA.MIT.EDU (Kragen)
Wed Aug 26 12:15:46 1998
Date: Tue, 25 Aug 1998 22:26:19 -0400
Reply-To: Kragen <kragen@POBOX.COM>
From: Kragen <kragen@POBOX.COM>
X-To: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.4.02A.9808251635300.9812-100000@redfish>
On Tue, 25 Aug 1998, Marc Slemko wrote:
> This is one of the situations where cookies are actually one of the better
> solutions. HTTP authentication is even better, but many people dislike it
> because they can't control the login prompt and due to how it can be
> cached by the client.
Well, when I set up a webmail thing on my machine using HTTP Basic
authentication, I created a special page (logout.html) which simply
returned a "not authorized" response for the webmail realm, no matter
what the request was. This would pop up another username/password
prompt, which the user could cancel. After that -- at least with
Netscape -- they would have to re-enter their username and password
before accessing anything that required authentication.
I'm not clear that this behavior is required by the standard.
Kragen
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
We are forming cells within a global brain and we are excited that we might
start to think collectively. What becomes of us still hangs crucially on
how we think individually. -- Tim Berners-Lee, inventor of the Web
