> -----Original Message----- > From: Aleph One [mailto:aleph1at_private] > Sent: Saturday, August 28, 1999 11:31 AM > > On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote: > > The server gets to say, in the WWW-Authenticate challenge > header field, for which "realm" it wants credentials (name+password). If both > www.company.com and www.company.com:81 send the same realm, then the same > password will continue to work. > > > > This behavior is as spec'd for HTTP Authentication, RFC 2617. > > > > So, it is not a security flaw. > > Paul, > > That is false. Quoting RFC2617, Page 3: <snip> Indeed. That'll teach me to rely on memory. Even if I was the last person to modify those words when editing 2617. I forwarded the bug report to the IE security team. Paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:51 PDT