Sylvain,
Using forms to validate users is *not* the way to go about implementing a
secure site, anyway. Your security, just like all server access, should be
browser independent. You should attempt to use something akin to
Challenge/Response for authentication (over an SSL secured connection, of
course), or even to go as high as PKI or PCT using digital certificates.
HTML Form based authentication is fine for your webmail stuff, which is only
used for trivial matters, but if you want to make sure your site is secure
don't use it! Especially don't whinge about the browser, which is trying to
be "user friendly" (whether it succeeds or not is a matter open to debate).
-----Original Message-----
From: Sylvain Roche [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
Sent: Saturday, November 27, 1999 9:43 AM
To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Subject: Be carefull with IE5 serious security failure
I happen to test some of my sites with IE5. I especially tested all my sites
which had security login/password access. IE5 seems to have the capacity to
store the login/password couple, and when you arrive to such a page, it
first propose a list of all the logins which have already been entered, and
secondly, when you select a login among those that are shown in the list, it
automatically fills the password field. Not that bad, the password is hidden
with ***. It could have been worse ;-) Not much but still.
This combined with the poor broken (non existant ???) windows login
procedure, and you have a secured site on which anybody is allowed to enter.
Because, of course, I forgot to precise, all this work also with SSL secured
sites :-(((
I solved the problem by spliting the form in 2 parts. One form that only
contains the login input field. A second, with the password field, a button
(type button), and an hidden field. When the button is pressed, it runs a
little javascript function that copies the content of the first form's login
input into the second's, and submit the second form. Hence, the two user's
fillable field have no logical link, except that they are located on the
same page. IE5 still proposes a list of logins in the first input field, but
cannot link the value with a password.
I'm going to modify all the login pages I did before.
I hope this will help
Sylvain
Computers are like air conditioners - they stop working
properly when you open Windows
UNIX _IS_ user friendly. It's just selective about who its friends are.
______________________________________________
Sylvain Roche
Responsable d�veloppement
Add-Online
www.add-online.fr <http://www.add-online.fr>
70bis rue Bossuet
69006 LYON
France
tel : +33 472838583
fax: +33 472838584
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
