(Fwd) SECURITY ALERT: Password protection bug in Netsca
Peter Trei
trei at process.com
Tue Dec 19 06:32:17 PST 1995
Jeff writes:
> This report is mostly bogus. Netscape does not, and never
> has stored http auth passwords in files on your disk. However
> we do cache documents from servers that use http auth.
> In this case the user had their preferences set to check the
> host site for updated content "once per session". There is
> a bug, which we are fixing before 2.0 ships, that if the
> auth fails the document should be removed from the cache but
> was not. If the user had set their cache checking to "never",
> then if the document is in the cache, it will always be shown to
> the user, since no connection is made to the server.
> Content providers who don't want their web pages cached
> should use the 'Pragma: no-cache' http header. This will
> tell the navigator to not save the document in the disk cache.
>
> --Jeff
Thanks for clearing that up - I see you've already been over to
www-security. The fast response Netscape (and in particular,
you yourself) make to reported problems is something I'm very
pleased to see.
Peter Trei
trei at process.com
More information about the cypherpunks-legacy
mailing list