Article Information
Article ID
z5kI0Zk
Category
Back Version: AdPass 6.3
Created
26th August, 2004 9:18 AM
Viewed
1722
Rating
2.05/3.00
Votes
78
Rate this Article
Very Helpful (3/3) - Helpful (2/3) - Not Helpful (1/3)
Knowledgebase Article
Microsoft's Internet Explorer Security Patch

General Information
Microsoft has very recently released a security patch whereby the standard format for sending username and password information through an HTTP URL has been removed from I.E.'s list of capabilities. This directly effects Password Protector v6.2, as our script relies on this technology to ensure that users can be logged into the AdPass system properly using the HTTP login form.

Please keep in mind that any script using htaccess is effected by this change, not just Password Protector v6.2. This is not a bug in our script - Microsoft has removed an industry standard technology from its browser leaving developers to search for an alternative solution. No other browser is currently affected except Internet Explorer.

What does this mean?
Currently, it means that any user who is using the I.E. browser with the latest patch installed and who is attempting to log into your web site through the Password Protector v6.2 login form will not be able to accomplish this task. The only way around this currently is to direct the user directly to the directory and allow him/her to log in through the htaccess login screen which automatically pops up.

Are you working on a solution?
Ascad Networks is working to find a way around this, whereby the HTTP login form can be used to log into a protected area, however we can not assign a time range for its release. Please note that this currently only effects the absolute newest version of I.E., so this feature is still available on other browsers, including I.E. "knock offs" such as Avant Browser.

Microsoft Recommended Solution
"If the Web site uses the basic authentication method, Internet Explorer automatically prompts users for a user name and a password. In some cases, users can click the Remember my password box in the dialog box to save their credentials for later visits to that Web site."
Source: http://support.microsoft.com/default.aspx?scid=kb;[LN];834489

Why Microsoft's Solution is Flawed
Those users devoted enough to use the function which Microsoft has deleted from its Internet Explorer browser will find that their options are numerous. There are hundreds of browsers (some listed below) which still allow for the selected functionality and thereby for the activity that Microsoft is trying to prevent. Furthermore, guides can easily be found on the internet which strips the Internet Explorer browser of the changes made in this patch, thereby allowing users to use the function maliciously.

While Microsoft's concerns may have been justified, the method by which it addressed its concerns were anything but justified. Microsoft has further used the patch to increase its monopoly on the computer market by only presenting programmers with ASP solutions. (For those who are not familiar with ASP, it is the equivalent of PERL, except for one major difference: it can only be used on windows servers.)

Current Solutions to this Issue
This issue goes beyond anything that can be built into the Password Protector v6.2 program as the functionality was removed directly from the Internet Explorer browser. For this reason we recommend that users using Internet Explorer either go directly to the protected folder and log in through the htaccess login box. However for those webmasters wishing to include an HTML login form, we have created the following solution.

Future Solutions to the Problem
Ascad Networks will be changing the protection technology used by its Password Protector programs to a new protection technology (currently entitled) being developed solely for its programs. Password Protector v7.0, scheduled for a mid-2005 release, will feature this new technology and will be free to all Password Protector v6.2 users when released.

Selected Quotes on the Matter
""Microsoft may have legitimate reasons for addressing the issue, but the way they addressed it--an across-the-board kill of an industry standard--is troublesome"
- James Rosko, Software Engineer

<input type="checkbox" name="usingie" value="yes">
By placing this checkbox on your login form and having users using the Internet Explorer browser check it, Password Protector v6.2 will display login announcements as well as track login statistics and then redirect the user to his/her area. From here the user will still have to log in through the htaccess login box, as he/she is required by Internet Explorer to do so.

Additional Articles on the Patch
Official Microsoft Patch Release Page
ZD-Net: Microsoft to issue security patch for IE
From Lawson Support.com: Disabling the Patch's Registry Keys

Alternate Browser Options
Mozilla
Avant Browser
Firefox
Netscape Navigator
Opera

Copyright © 2006 - Ascad Networks. All Rights Reserved.
This website optimized for Firefox with resolution 1024x768.
Privacy Policy / Report Site Error


Get Firefox!