Hi everyone,
Here's a quick security question. I'm using ZServer w/ Apache.
Someone pointed out to me today that it's possible to access a site like this:
http://username:password@mysite.com/
and the user is logged in automatically. Apparently there are cracking tools available that will attempt to guess passwords using this method thereby gaining access to the system.
Is there any easy fix for this?
I don't believe that the username:password part of the url ever actually go out on the wire - my understanding of this is that IE (or other browsers that support this construct) just accept this as a convenient shorthand and that they remove the username/pw and send it in a header as usual... As far as cracking tools, I can't imagine how this would have any impact one way or the other - it's really just a client convenience. Hope this helps! Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com