On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote: > The server gets to say, in the WWW-Authenticate challenge header field, for > which "realm" it wants credentials (name+password). If both www.company.com > and www.company.com:81 send the same realm, then the same password will > continue to work. > > This behavior is as spec'd for HTTP Authentication, RFC 2617. > > So, it is not a security flaw. Paul, That is false. Quoting RFC2617, Page 3: "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL (the absoluteURI for the server whose abs_path is empty; see section 5.1.2 of [2]) of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database." Note that the client must use the combination of the canonical root URL and the real value to decided if the protection space is the same. The canonical root URL of a server in port 80 and a server in some other port will be different (http://www.foo.com:80/ vs http://www.foo.com:81/), so they indeed represent different protection spaces and IE is sending the authentication messages in error. Now putting aside the spec, its silly to say that just because two web servers run on the same host they are the same and they should be trusted the same. On may be a companies official server. The other may be that of a user with shell access to the server. You don't want people accessing protected part of the company server to hand their authentication credentials to the user now do you? -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:48 PDT