W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Basic Authentication behavior

From: Jim Gettys <jg@pa.dec.com>
Date: Tue, 2 Sep 1997 12:26:33 -0700
Message-Id: <9709021926.AA03914@pachyderm.pa.dec.com>
To: Ari Luotonen <luotonen@netscape.com>
Cc: John Franks <john@math.nwu.edu>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4264
I agree with Ari.

There is a security consideration hiding here, though....

If someone has authenticated themselves on a realm corresponding to
http://host/dir1, the browser should not try to present those
credentials to authenticate themselves at http://host/dir2.
(i.e. should limit themselves to the same region of namespace
that the first realm was observed for).

Otherwise, one will be presenting a username and password to
potentially a different agent that may then capture and/or attack
using it (particularly for basic, not one of the world's best
security mechanisms).

I don't remember any such security consideration in the current document.
				- Jim
Received on Tuesday, 2 September 1997 12:36:55 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC