The server gets to say, in the WWW-Authenticate challenge header field, for which "realm" it wants credentials (name+password). If both www.company.com and www.company.com:81 send the same realm, then the same password will continue to work. This behavior is as spec'd for HTTP Authentication, RFC 2617. So, it is not a security flaw. > -----Original Message----- > From: Justin King [mailto:JKingat_private] > Sent: Thursday, August 19, 1999 8:58 AM > To: BUGTRAQat_private > Subject: IE and cached passwords > > > In Internet Explorer (v5/nt,v4/nt,v5/win98), when I go to a > website (say, > www.company.com), and it requests authorization (via basic > authentication), > and I enter it, I am able to browse the rest of the site > without reentering > my password on each page. This is fine. However, if I go to > another website > on the same machine, but a different port (say, > www.company.com:81), my > authentication information is still sent. > > This seem to me to be a security flaw with the browser. The > potential for > abuse doesn't really seem very high, but I do think it's there. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:04 PDT