- From: John Franks <john@math.nwu.edu>
- Date: Mon, 17 Jul 1995 10:12:16 -0500 (CDT)
- To: Chuck Shotton <cshotton@biap.com>
- Cc: dmk@allegra.att.com, john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
According to Chuck Shotton: > > According to Kristol: > >Fair enough. How about using the server-name in place of realm, then? > >(After all, it's possible two webmasters might choose the same realm > >name on different servers, isn't it!) That would render the same > >username/password combination unique on different machines. So the > >stored hash would be: > > H(<username> : <server-domain-name> : <password>) > > This isn't any better, given that one user may have multiple occurences of > the same name and password for different realms. (It happens!) The best > would be a combination of host domain name and realm name. > This would mean that only one hostname could be used in the URL. I.e. even though host.com and www.host.com are the same host, one of the URLs http://host.com/secret.doc and http://www.host.com/secret.doc would have to fail even when the user supplied a valid username/password. This would be a serious flaw. Keep in mind that the realm can be any (reasonable sized) string supplied by the server maintainer. Thus choosing a realm like myrealm@www.myplace.com is probably a good idea. This would prevent another server maintainer accidentally choosing the same realm. If another server maintainer maliciously chooses the same realm, at least that fact is displayed to the client each time access is requested. If you connect to www.myplace.com and see a realm with somewhere.else.com in it you should be very suspicious. John Franks
Received on Monday, 17 July 1995 08:14:20 UTC