Re: Basic Authentication behavior

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Choi, Hyoung-Kee: "TCP spoofing"
• Previous message: Larry Masinter: "Alternates?"
• In reply to: Jim Gettys: "Re: Basic Authentication behavior"
• Next in thread: Scott Lawrence: "Re: Basic Authentication behavior"

   If someone has authenticated themselves on a realm corresponding to
   http://host/dir1, the browser should not try to present those
   credentials to authenticate themselves at http://host/dir2.
   (i.e. should limit themselves to the same region of namespace
   that the first realm was observed for).

   Otherwise, one will be presenting a username and password to
   potentially a different agent that may then capture and/or attack
   using it (particularly for basic, not one of the world's best
   security mechanisms).

In most cases, you have one server program for both directories, and
it's not an issue.

It might be an issue with CGIs; I don't know whether the HTTP server
will keep CGIs from seeing the password for some other CGIs.

But it would be insanely stupid to use basic authentication anywhere
where security truely matters anyway.

• Next message: Choi, Hyoung-Kee: "TCP spoofing"
• Previous message: Larry Masinter: "Alternates?"
• In reply to: Jim Gettys: "Re: Basic Authentication behavior"
• Next in thread: Scott Lawrence: "Re: Basic Authentication behavior"