Re: Basic Authentication behavior

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: David W. Morris: "Re: Basic Authentication behavior"
• Previous message: Koen Holtman: "Re: FW: revised trusted cookie spec"
• In reply to: Ari Luotonen: "Re: Basic Authentication behavior"
• Next in thread: Joel N. Weber II: "Re: Basic Authentication behavior"
• Reply: Joel N. Weber II: "Re: Basic Authentication behavior"

I agree with Ari.

There is a security consideration hiding here, though....

If someone has authenticated themselves on a realm corresponding to
http://host/dir1, the browser should not try to present those
credentials to authenticate themselves at http://host/dir2.
(i.e. should limit themselves to the same region of namespace
that the first realm was observed for).

Otherwise, one will be presenting a username and password to
potentially a different agent that may then capture and/or attack
using it (particularly for basic, not one of the world's best
security mechanisms).

I don't remember any such security consideration in the current document.
				- Jim

• Next message: David W. Morris: "Re: Basic Authentication behavior"
• Previous message: Koen Holtman: "Re: FW: revised trusted cookie spec"
• In reply to: Ari Luotonen: "Re: Basic Authentication behavior"
• Next in thread: Joel N. Weber II: "Re: Basic Authentication behavior"
• Reply: Joel N. Weber II: "Re: Basic Authentication behavior"