Running IIS4 on NT4 (SP5) server. Several web pages have permissions assigned with NT ACL (both NT Challege/Response and Basic Authentication). Discovered that protected pages can be viewed by unauthorized user (presumably from cache) if authorized user previously accessed pages from same computer client. This happens even after the browser has been completely closed and then reopened. An unauthorized user accesses the page by hitting the page link. This brings up the pop-up logon window. Hit cancel. User gets a 401 screen. Hit the back button. Hit the forward button. Viola . . . the user without credentials has access to the protected content. I've tested this behavior on NT4 WS, Win98 and Win2000 clients with the same results. Posts at the MS newsgroups yielded little response.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:21 PDT