On 20 Dec 99, at 19:05, Roger Fajman wrote: > > On first voicing the problem I was told that I was bookmarking pages I > > shouldnt. The concern expressed by everyone that I have talked to has > > been that if I am bookmarking pages I shouldnt then that constitutes a > > security problem in the product. > > > > That is:- > > the ability to bookmark a page that SHOULDN'T be bookmarked is the > > security problem > > Maybe so, but it's not a problem in LISTSERV. It's the browser that > does bookmarking. I've never heard of a way to designate a URL as > not allowed to be bookmarked. > Yet I was told I was bookmarking pages I shouldnt be. To me this means that if I shouldnt be doing it, I shouldnt be able to do it as it is a basic function of most browsers to allow the user to bookmark often visited pages. URLs dont have to contain the userid and password, they dont have to contain valid arguements to a cgi-script. This can be done differently. In the time I can spend in researching I have been able to find out that it may be whether GET or POST is used for that login that decides whether the URL displays the userid and login as arguements to wa. Using Get generally drops that info in, while using Post requires a bit more programming, but doesnt display that information. I have to check it out further yet to be sure this is correct. I dont know if this should be classed as a Listserv problem either. There are no warnings about what might happen here if you do bookmark a page once you are past that authentication area, and no warnings saying you shouldnt bookmark any pages past that authentication area at all. The only mention I have been able to find in the Site Managers manual was on page 27: "Please note that when removing a list from the WWW archive interface, you MUST delete the list's directory under 'archives'. Otherwise someone with a bookmarked URL may still be able to access some of the archives via the web." Other mention is made in the List Owner's Manual but is regarding only the action of saving your password as a cookie (pg 112) and a little further in a note (pg114). This covers only saving it as a cookie and does not mention that if you dont save it as a cookie and bookmark pages inside of there you are effectively saving your passwd for differing amounts of time and bypassing that login screen for differing amount of times (seems to be browser dependant and may be server dependant but I am not sure about the server side). sorry, but if it isnt covered, how can anyone know they are not supposed to do it, and that is a documentation problem. [log in to unmask]