mailing list archives
RE: unable to access web site embeds username & password
From: Konstantin Ryabitsev <icon () phy duke edu>
Date: Thu, 24 Jun 2004 17:21:08 -0400
On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:
Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.
I don't think that's correct. We're talking about this format:
http://username:password () web site tld/
To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.
Now, if the URL was something like this:
Then you would have been correct.
Konstantin Ryabitsev <icon () phy duke edu>
Duke University Physics
Description: This is a digitally signed message part
- RE: unable to access web site embeds username & password, (continued)