W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Basic Authentication behavior

From: Joel N. Weber II <devnull@gnu.ai.mit.edu>
Date: Thu, 4 Sep 1997 21:05:56 -0400 (EDT)
Message-Id: <199709050105.VAA26360@melange.gnu.ai.mit.edu>
To: jg@pa.dec.com
Cc: luotonen@netscape.com, john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
   If someone has authenticated themselves on a realm corresponding to
   http://host/dir1, the browser should not try to present those
   credentials to authenticate themselves at http://host/dir2.
   (i.e. should limit themselves to the same region of namespace
   that the first realm was observed for).

   Otherwise, one will be presenting a username and password to
   potentially a different agent that may then capture and/or attack
   using it (particularly for basic, not one of the world's best
   security mechanisms).

In most cases, you have one server program for both directories, and
it's not an issue.

It might be an issue with CGIs; I don't know whether the HTTP server
will keep CGIs from seeing the password for some other CGIs.

But it would be insanely stupid to use basic authentication anywhere
where security truely matters anyway.
Received on Thursday, 4 September 1997 18:08:46 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:00 EDT