On Fri, 17 Dec 1999 15:00:55 +1100, lsvadmin <[log in to unmask]> wrote:

>I understand now what is happening and why. I dont know how I can
>stop the listowners from doing exactly this though and bypassing
>authentication.

They are NOT bypassing authentication!  They are merely supplying a userID and
password as part of the URL bookmarked.  If you look at the LISTSERV log file
you will see that authentication does in fact occur, it just happens very fast
and automatically so it looks like it isn't happening.  This is functionally no
different than the user retaining their login information in a 'cookie'.

The one way to prevent this is to remove the user's password.  Without a
password this will also fail.  Of course that has other undesirable side
effects.

>Or from stopping anyone else from accessing their PC's
>and using bookmarks to do exactly the same thing. 

This is a matter of physical security of their machine which is not something
LISTSERV can be expected to assume responsibility for.  It goes along with
choosing appropriately secure passwords and changing them frequently, etc.

>Or, as amusing as
>it may be, from sending in url's to a list somewhere not realising they
>are giving out a userid and passwd for someone to crack.

This is a matter of education.