(Fwd) SECURITY ALERT: Password protection bug in Netsca
Peter Trei
trei at process.com
Tue Dec 19 06:32:17 PST 1995
Jeff writes:
> This report is mostly bogus. Netscape does not, and never
> has stored http auth passwords in files on your disk. However
> we do cache documents from servers that use http auth.
> In this case the user had their preferences set to check the
> host site for updated content "once per session". There is
> a bug, which we are fixing before 2.0 ships, that if the
> auth fails the document should be removed from the cache but
> was not. If the user had set their cache checking to "never",
> then if the document is in the cache, it will always be shown to
> the user, since no connection is made to the server.
> Content providers who don't want their web pages cached
> should use the 'Pragma: no-cache' http header. This will
> tell the navigator to not save the document in the disk cache.
>
> --Jeff
Thanks for clearing that up - I see you've already been over to
www-security. The fast response Netscape (and in particular,
you yourself) make to reported problems is something I'm very
pleased to see.
Peter Trei
trei at process.com
More information about the Testlist
mailing list