Be carefull with IE5 serious security failure

[Sylvain Roche]

I happen to test some of my sites with IE5. I especially tested all my sites which had security login/password access. IE5 seems to have the capacity to store the login/password couple, and when you arrive to such a page, it first propose a list of all the logins which have already been entered, and secondly, when you select a login among those that are shown in the list, it automatically fills the password field. Not that bad, the password is hidden with ***. It could have been worse ;-) Not much but still.   This combined with the poor broken (non existant ???) windows login procedure, and you have a secured site on which anybody is allowed to enter. Because, of course, I forgot to precise, all this work also with SSL secured sites :-(((   I solved the problem by spliting the form in 2 parts. One form that only contains the login input field. A second, with the password field, a button (type button), and an hidden field. When the button is pressed, it runs a little javascript function that copies the content of the first form's login input into the second's, and submit the second form. Hence, the two user's fillable field have no logical link, except that they are located on the same page. IE5 still proposes a list of logins in the first input field, but cannot link the value with a password.   I'm going to modify all the login pages I did before. I hope this will help   Sylvain   Computers are like air conditioners - they stop working properly when you open Windows   UNIX _IS_ user friendly.  It's just selective about who its friends are.   ______________________________________________ Sylvain Roche Responsable développement Add-Online www.add-online.fr   70bis rue Bossuet 69006 LYON France   tel : +33 472838583 fax: +33 472838584