httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: MSIE and auth. realms
Date Tue, 10 Mar 1998 08:20:30 GMT
On Tue, 10 Mar 1998, Dirk-Willem van Gulik wrote:

> On Mon, 9 Mar 1998, Marc Slemko wrote:
> > Someone in a post to a newsgroup said that MSIE would treat two servers on
> > different ports on the same host as being the same server, ie. cached auth
> > for a realm on a server on one port will be sent to a server on another
> > port requesting that auth.
> > 
> > Combine that with a public (eg. University) system and IE caching
> > passwords on disk, and you come up with auth being useless.
> No is true; and some v3's also treat a realm "" as matching any realm and
> thus hand out passwords left, right and center. We ran in this recently
> with some schools expected to having old equipment and where forced to
> skip the vhosts and use different IP addresses. (Of course three weeks
> later they went to netscape.. :-( ) 

And people have trouble understanding why I often think the weakest link
in Internet commerce (aside from the user) is the user's software.  Sigh.

That is very broken.  What it means is that any hostname that requires
private auth can't allow any users on it to run anything, period.  Sheesh.
Yea, you still have to get the clients to go to your page to steal it, but
that can be easy.

View raw message