Re: Authentication how:to
From: Winfried Kaiser (w.kaiser_nospam__at_fortune.de)
Date: 03/01/04
- Next message: kw: "Malfunctioning WebControl in C# app"
- Previous message: Mick: "Authentication how:to"
- In reply to: Mick: "Authentication how:to"
- Next in thread: Igor Tandetnik: "Re: Authentication how:to"
- Reply: Igor Tandetnik: "Re: Authentication how:to"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 1 Mar 2004 06:38:37 +0100
This braindead "security patch", which is a total overkill (and easily could
have been done much more intelligently without dropping the
URL-authentication feature), apparently created tons of problems, if you
look into the newsgroups.
Why, for heavens sake, was it necessary to drop the
"http://username:password@www.myserver.com" functionality? I firmly believe,
it was not! It would have been sufficient to make sure, that the URL-part
before the "@" used the correct syntax "username:password", and not
something like "http://www.fakeserver.com@www.evilserver.com", with which IE
easily allowed URL-spoofing.
The only good thing MS has done in that area is, that they have provided a
means to restore the old funtionality:
Put the following entries into a file (e.g. "iexplore.reg"), and doubleclick
on it. Then IE will work like before!
============================================================================
==========
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"iexplore.exe"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\iexplore
.exe]
"iexplore.exe"=dword:00000000
============================================================================
==========
-- Dipl.-Ing.(TH) Winfried Kaiser c/o Fortune Systems GmbH & Co. Postfach 1 24973 Husby Germany Fon: (0)4634-746 Fax: (0)4634-1517 "Mick" <mick.oneill@NOSPAM.advdata.com.au> schrieb im Newsbeitrag news:Oc3IiX0$DHA.2632@TK2MSFTNGP12.phx.gbl... > Hi, > > Since the new IE security update, out client application is experienceing a > UI problem, forcing the user to log in excessivly. The client (in VB) > displays a WebBrowser control with a list of documents available on the > server, as links. When the user clicks on the link, the document is opened > in a new IE window. The user authentication is passed through the WebBrowser > headers, but when the IE window opens, it does not know of this > authentication, and consequently prompts for it. > > Previously, we trapped the BeforeNavigate event, and then ShellExecuted the > link with the authentication passed as part of the URL. The new IE update > has stopped this method of passing authentication to a URL, so it no longer > works. > > If someone could point me towards some documentation to provide a method of > passing the autehtication through to the new link, it would me very much > appreciated. > > TIA > > Mick > > --- Die eMail ist virenfrei. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.600 / Virus Database: 381 - Release Date: 28.02.2004
- Next message: kw: "Malfunctioning WebControl in C# app"
- Previous message: Mick: "Authentication how:to"
- In reply to: Mick: "Authentication how:to"
- Next in thread: Igor Tandetnik: "Re: Authentication how:to"
- Reply: Igor Tandetnik: "Re: Authentication how:to"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
