John Franks <john@math.nwu.edu> said: [regarding my proposal to embed hostname in the password file line] > This would mean that only one hostname could be used in the URL. I.e. > even though host.com and www.host.com are the same host, one of the URLs > > http://host.com/secret.doc > and > http://www.host.com/secret.doc > > would have to fail even when the user supplied a valid username/password. > This would be a serious flaw. I disagree with the premise. I wouldn't encode the domain name that the user accessed to reach my server. I would encode the name that the server uses for itself, for example the name set by NCSA HTTPD ServerName directive. > > Keep in mind that the realm can be any (reasonable sized) string supplied by > the server maintainer. Thus choosing a realm like > > myrealm@www.myplace.com > > is probably a good idea. This would prevent another server maintainer > accidentally choosing the same realm. If another server maintainer > maliciously chooses the same realm, at least that fact is displayed > to the client each time access is requested. If you connect to > www.myplace.com and see a realm with somewhere.else.com in it you > should be very suspicious. Thank you for motivating my second quibble, namely: I want to be able to specify a (user/password) prompt independent of the realm. I don't think much of a realm named "myrealm@www.myplace.com", but maybe I'm perverse. I prefer Enter username for [prompt that I specify] at www.research.att.com: to Enter username for myrealm@www.myplace.com at www.myplace.com Evidently (sigh) I'm the only person in the world who feels this way. Dave KristolReceived on Monday, 17 July 1995 09:48:58 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:23 EDT