Re: Password protected pages?

• To: "Hamilton, Ed @ OTT" <EHAMILT@ottsmtp.}.esc.lmco.com>
• Subject: Re: Password protected pages?
• From: Micah Brandon <brandon@vv.com>
• Date: Tue, 23 Jul 1996 13:05:05 -0400
• Cc: www-security@ns2.rutgers.edu

At 11:52 AM 7/22/96 EDT, you wrote:
>2.   I am not too familiar with a server's authentication scheme, but if 
>pages x, y, and z exist and x requires a password to access (and contains 
>two links to y and z), can I not just bypass it by making a bookmark at page 
>y and/or z within the secured area and then jumping directly to that page? 
> Sure I need the password once, but once I know where these pages are 
>located, can I not access them?  Certainly in some security implementations 
>you can do this (I have done this before).

        If pages y & z are NOT underneath the defined "secure" area on the
server then sure you can access them.  The idea is to only make links that 
access other secure pages, otherwise, you're defeating the purpose.

        If pages y & z are underneath the defined "secure" area on the
server then you can access them directly if you've already entered your
password before accessing page x.  Now, if you close your browser and then
try to access page y directly, you'll be prompted for a password again.

Basically, you don't have to type your password three times to access these
pages, but if you close the session and come back, no matter what secure
page you hit, you'll have to be authorized again.


--
Micah Brandon
brandon@vv.com

• Previous: Re: about cookies: draft-ietf-http-state-mgmt-03 available
• Next: COOKIE redirection to executable file (was: Re: Bloody cookies...)
• Index(es):
  • Index
  • Thread