Re: Remembering Passwords in IE

[11a () GMX NET (Bluefish)]

Actually, as long as it is on the same server this is the correct
behaviour according to http-specs. Basicly, its entirely up to the httpd
to implement this in a secure way.

The workaround used in Apache is to make it impossible to retrieve
passwords/hashes in usermodules, the information is never leaked to the
user's code.

Possibly, an even more strict security measure could be to make it
padd the name of the user creating the .htaccess file to AuthName.

Anyway, this is only a problem if we deal with insecure httpds used in
conjunction with IE. I think the authors of the HTTP RFC assumed stupid
coders on the client side and intentionally left the safekeeping of
passwords upon the server software (httpd). Which probably is the best,
the other way around is *quite* harder to implement.

Btw, the last post does not comment upon the AuthName. I am assuming that
a service with another name at www.host.com is not treated as the same as
the two urls in your example? Not that it would indicate any security
problem, but it would be quite uggly coding if it did :)

On Wed, 29 Mar 2000, Chris Adams wrote:
> It remembers passwords by districts. For instance, say I have subscribed to
> a members only site, hosted on
> www.host.com/foo <http://www.host.com/foo>
> and another one on
> www.host.com/bar <http://www.host.com/bar>
> It will remember my login (to either foo or bar) as being a login to
> www.host.com <http://www.host.com/>
> Yeah, It's a bug.
> Chris

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team