On Sat, Apr 27, 2002 at 03:32:45AM +0200, martin f krafft wrote: > also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.26.1955 +0200]: > > Second more, if your users are allowed to have pages on the same > > address as the login system, the browser can, without much effort, > > be tricked into giving away your systems username and password to > > a personal user page... > > how?
Take a look at http://www.php.net/manual/ro/features.http-auth.php If someone's already logged in, and they visit a webpage on the same domain which asks for a username and password for the same realm as the one used to log in, the browser will send the username/password pair without asking the user for any confirmation. At least I assume that's what Dan meant above and I assume that that would happen (I haven't tried it myself). Gareth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
