I understand now what is happening and why. I dont know how I can
stop the listowners from doing exactly this though and bypassing
authentication. Or from stopping anyone else from accessing their PC's
and using bookmarks to do exactly the same thing. Or, as amusing as
it may be, from sending in url's to a list somewhere not realising they
are giving out a userid and passwd for someone to crack.

I assume that there is no way within the server software or listserv
software where I can set that pages cant be bookmarked is there, or of
not having the arguements show in the URL on each page you actually
go to after authentication?

This may or may not cause problems, but the potential is there for
problems.

Grasping at straws here because as sure as there are people using
browsers they will bookmark these pages and avoid true authentication.
"Shouldn't" isnt the same as knowing you shouldn't. I have yet to see a
human anywhere who will not do something they shouldnt simply
because they know they shouldnt do it.

If you shouldn't do it then it should be that you simply cant even if you
try.


thanks

lsvadmin




On 16 Dec 99, at 19:45, Ben Parker wrote:

> On Fri, 17 Dec 1999 12:54:43 +1100, lsvadmin <[log in to unmask]> wrote:
>
> >I think I found the problem, after I authenticate and then save a page as
> >a bookmark, the url saved shows up along the lines of:
> >http://vogon.agric.nsw.gov.au:2306/cgi-
> >bin/wa?LCMD&X=*****************&[log in to unmask]
> >au
>
> Ah.  That is your login ID and password in encoded form.  LISTSERV accepts that
> and issues you a valid login 'ticket' good for 10 minutes.  In essence this
> performs a login operation for you whever you need to access something.  Nothing
> is compromised. It is valid only for you, from that computer.
>
> Note that the best bookmark to save  (and it saves without the above &X and &Y
> paramters) is the ?ADMIN page from which you can do just about anything.  So you
> are really saving a bookmark that you shouldn't.