Re: Security Issue with IE 5.5 sp2
From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02
- Next message: Michel Gallant (MVP): "Re: BEFSR41 config(was Re: Messenger Service on W2K server"
- Previous message: Michel Gallant (MVP): "Re: cannot open file attachments"
- In reply to: DaPostman: "Re: Security Issue with IE 5.5 sp2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] MVP" <levinson_k@excite.com> Date: Wed, 23 Oct 2002 09:34:05 -0400
Well, the proper place to do something like this would always be on the
server, not on the client, since on the internet you can't control what the
client does to his or her computer. I suspect this has do with the client
caching and resending the same password and the server having no way to tell
the difference. If the browser wants to cache the password, the server
can't easily stop it from doing this. I also suspect this has more to do
with internet standards such as HTTP, since other non-microsoft servers and
browsers also work this way to the best of my knowledge.
You're right, it would be nice to have a checkbox to disable this feature,
but people doing web browsing would have big problems if they
You're also right that it's strange that it works on one computer and not on
another, but again I think the place to fix it is on the server, since the
clients cannot be trusted, and I am guessing that the machine that is
"working" the way you want is actually not working as expected.
"DaPostman" <LarryP@Mail.Com> wrote in message
news:909401c2796a$e8453860$2ae2c90a@phx.gbl...
> I will look into the link below, but I must say that this
> is very strange that this problem hasn't surfaced enough
> whereas something was done about it.
> I figured there would be many people out there
> experiencing the same issue. Even to the point to have
> Microsoft fix this problem. With that said I must add
> that the orignal image i use has this problem. But a PC I
> deployed not long ago using this image, works fine. So if
> the problem is actually working as designed how can it
> work on one PC and not the other?
>
> >-----Original Message-----
> >"DaPostman" <LarryP@mail.com> wrote in message
> >news:8f5201c27933$54c513d0$36ef2ecf@tkmsftngxa12...
> >> I have a security issue that needs immediate attention.
> >> I'm sure someon here can point me on the right path.
> >>
> >> Senario: I open up a Internet Explorer 5.5 (on a Win98
> PC)
> >> and go a site on the internet. I then open up another
> >> browser and go to a secure web application on our
> >> Intranet. (NOTE: This application requires me to login
> >> everytime)
> >> When I'm done with the web application I logout of the
> >> application and close the browser. Now I kept the first
> >> browser, which was surfing the internet, open the whole
> >> time I was in my web application. At this time I only
> >> have the original browser open and if I try to go to the
> >> web application from within this broswer I am not
> prompted
> >> to login to the application. HUGE Security issue.
> >>
> >> We image our PC's and we have one PC with the problem
> and
> >> one without. I have been using an app to compare the
> >> registry keys to see what the difference is, but there
> are
> >> many changes between the two.
> >>
> >> Can someone suggest a key or a component that might be
> >> causing this problem. Is it Active X, Java?
> >> Anyone....Bueller....Bueller?(Ferris Buellers Day Off)
> >
> >I could be wrong, but I think this is the way IE and
> other web browsers have
> >always worked. The web management console for my Nortel
> VPN switch and also
> >my online banking website both advise me to close all
> instances of my web
> >browser to avoid being able to log back in.
> >
> >The only setting I could think of that might change this
> is the IE advanced
> >setting to run each browser in a separate process. If
> that doesn't do it, I
> >don't know what will. Even if that does work, it doesn't
> protect you if the
> >client PC doesn't have that setting or you don't control
> the client PC.
> >
> >For example, if I understand this correctly, the
> Microsoft article at the
> >site below seems to suggest that you need to jump through
> hoops by adding
> >code to your web app to spspecifically force re-
> authentication. There are
> >probably other solutions as well, again within the web
> app.
> >
> >http://www.iisfaq.com/default.asp?View=L1912&P=78
> >
> >
> >
> >.
> >
- Next message: Michel Gallant (MVP): "Re: BEFSR41 config(was Re: Messenger Service on W2K server"
- Previous message: Michel Gallant (MVP): "Re: cannot open file attachments"
- In reply to: DaPostman: "Re: Security Issue with IE 5.5 sp2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
