View Single Post
Old 02-09-2004, 06:29 AM   #1
Alexander Turcic
Fully Converged
Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.Alexander Turcic ought to be getting tired of karma fortunes by now.
 
Alexander Turcic's Avatar
 
Posts: 18,163
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
Exclamation IE security patch disables passwords in URLs

Microsoft released a patch last week that disables support for handling user names and passwords in HTTP and HTTPS. Read further if you are interested in enabling this feature again.

The problem occurs when programmers design a Web site to enable a Web user to log in by typing credentials into the URL. In such cases, the Web address might look like this:

http://username:password@www.somecompany.com/index.html.

The link gives the person access to a company's Web site when the authentication program verifies the username and password.

Because the username and password are part of the Web address and are not encrypted, embedding the credential in the URL is considered a security risk.

What Microsoft did is simply to disable the support for username:password@ urls. Cool, heh? All of a sudden, you come in one day, and things aren't working anymore, because Microsoft has determined that a way they are doing things is not secure.

So if you still want to be able to use this feature, download and execute the attached registry-file (remove the .txt extension first).

Code:
REGEDIT4
; Enable handling user information in HTTP and in HTTPS URLs
; More info here: http://support.microsoft.com/default...b;en-us;834489
; Feb 8, 2004. Turcic.com
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"iexplore.exe"=dword:00000000
"explorer.exe"=dword:00000000
Attached Files
File Type: txt ie_enablepassinurl.reg.txt (446 Bytes, 1509 views)
Alexander Turcic is offline   Reply With Quote