Bugtraq mailing list archives
Re: IE and cached passwords
From: peterw () USA NET (Peter W)
Date: Sat, 28 Aug 1999 11:57:11 -0400
On Fri, 27 Aug 1999, Paul Leach (Exchange) wrote:
The server gets to say, in the WWW-Authenticate challenge header field, for which "realm" it wants credentials (name+password). If both www.company.com and www.company.com:81 send the same realm, then the same password will continue to work. This behavior is as spec'd for HTTP Authentication, RFC 2617.
Not the way I read the RFC's. The "realm" is supposed to apply to the absoluteURI minus the URI path component, which means "example.com" and "example.com:81" are different. Details follow. Section 1.2 of RFC 2617: The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [RFC 2616]) of the server being accessed, defines the protection space. Section 5.1.2 of RFC 2616 gives an example absoluteURI: The absoluteURI form is REQUIRED when the request is being made to a proxy. ...snip... An example Request-Line would be: GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1 ...snip... [and here the RFC clearly indicates what an abs_path is] The most common form of Request-URI is that used to identify a resource on an origin server or gateway. In this case the absolute path of the URI MUST be transmitted (see section 3.2.1, abs_path) as the Request-URI, and the network location of the URI (authority) MUST be transmitted in a Host header field. For example, a client wishing to retrieve the resource above directly from the origin server would create a TCP connection to port 80 of the host "www.w3.org" and send the lines: GET /pub/WWW/TheProject.html HTTP/1.1 Host: www.w3.org So in the RFC 2616 example, "absoluteURI" is "http://www.w3.org/pub/WWW/TheProject.html" and abs_path is "/pub/WWW/TheProject.html". Applying the definition of "canonical root URL" from the appropriate section of the RFC you cite, we get a canonical root URL of "http://www.w3.org". Naturally, if the w3.org Web server were running on a different port, our "math" would look like: http://www.example.org:81/pub/WWW/TheProject.html - /pub/WWW/TheProject.html ---------------------------------------------- http://www.example.org:81 and the :81 would be part of the "authority" segment of the URI (as described in section 3.2 of RFC 2396 and section 14.23 of RFC 2616; discussion in section 3.2.2 of RFC 1945 [HTTP 1.0 spec] is similar). -Peter The Intel Pentium III chip: designed to deny your privacy Boycott Intel. http://www.privacy.org/bigbrotherinside/
Current thread:
- Re: IE and cached passwords Exchange (Aug 27)
- Re: IE and cached passwords Peter W (Aug 28)
- yet another article about stealth modules in linux. riq (Aug 28)
- Re: IE and cached passwords Aleph One (Aug 28)