The server gets to say, in the WWW-Authenticate challenge header field, for
which "realm" it wants credentials (name+password). If both www.company.com
and www.company.com:81 send the same realm, then the same password will
continue to work.
This behavior is as spec'd for HTTP Authentication, RFC 2617.
So, it is not a security flaw.
> -----Original Message-----
> From: Justin King [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 19, 1999 8:58 AM
> To: [EMAIL PROTECTED]
> Subject: IE and cached passwords
>
>
> In Internet Explorer (v5/nt,v4/nt,v5/win98), when I go to a
> website (say,
> www.company.com), and it requests authorization (via basic
> authentication),
> and I enter it, I am able to browse the rest of the site
> without reentering
> my password on each page. This is fine. However, if I go to
> another website
> on the same machine, but a different port (say,
> www.company.com:81), my
> authentication information is still sent.
>
> This seem to me to be a security flaw with the browser. The
> potential for
> abuse doesn't really seem very high, but I do think it's there.
>
