- From: Joel N. Weber II <devnull@gnu.ai.mit.edu>
- Date: Thu, 4 Sep 1997 21:05:56 -0400 (EDT)
- To: jg@pa.dec.com
- Cc: luotonen@netscape.com, john@math.nwu.edu, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
If someone has authenticated themselves on a realm corresponding to http://host/dir1, the browser should not try to present those credentials to authenticate themselves at http://host/dir2. (i.e. should limit themselves to the same region of namespace that the first realm was observed for). Otherwise, one will be presenting a username and password to potentially a different agent that may then capture and/or attack using it (particularly for basic, not one of the world's best security mechanisms). In most cases, you have one server program for both directories, and it's not an issue. It might be an issue with CGIs; I don't know whether the HTTP server will keep CGIs from seeing the password for some other CGIs. But it would be insanely stupid to use basic authentication anywhere where security truely matters anyway.
Received on Thursday, 4 September 1997 18:08:46 UTC