Re: IE and cached passwords

[paulle () EXCHANGE MICROSOFT COM (Exchange)]

> -----Original Message-----
> From: Aleph One [mailto:aleph1 () underground org]
> Sent: Saturday, August 28, 1999 11:31 AM
>
> On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> > The server gets to say, in the WWW-Authenticate challenge
> header field, for which "realm" it wants credentials (name+password). If
both
> www.company.com and www.company.com:81 send the same realm, then the same
> password will continue to work.
> > This behavior is as spec'd for HTTP Authentication, RFC 2617.
> >
> > So, it is not a security flaw.
>
> Paul,
>
>   That is false. Quoting RFC2617, Page 3:
<snip>

Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.

I forwarded the bug report to the IE security team.

Paul