Microsoft KB Archive/898656

= Digest authentication credentials may be visible to other applications that are based on the WinINet API that also use Digest authentication =

Article ID: 898656

Article Last Modified on 1/16/2007

-

APPLIES TO


 * Microsoft Internet Explorer (Programming)

-





SYMPTOMS
Digest authentication credentials that are used in an application that is based on the Microsoft Windows Internet (WinINet) API may be visible to other applications that are based on the WinINet API that also use Digest authentication. Applications that are based on the WinINet API include the following applications:
 * Microsoft Internet Explorer
 * Microsoft Outlook Express
 * Custom applications that use the WinINet API

For example, you connect to a URL by using Digest authentication in a custom application that is based on the WinINet API. Then, you start Internet Explorer, and you try to connect to the same URL. When you do this, the authentication dialog box that appears already contains the user name and password that you used in the custom application. To connect to the URL, you just click OK. You can save the password for future sessions by using the authentication dialog box.

Note This problem also occurs after you close the custom application if Internet Explorer was running when the custom application connected to the URL.



CAUSE
This problem occurs because Digest authentication credentials are cached across processes. The Digest.dll file implements its own credential cache. This credential cache is shared across processes through a memory-mapped file. The memory-mapped file is destroyed only when all processes that use Digest authentication are closed.

Note Both Internet Explorer and Outlook Express use the Digest.dll file for Digest authentication in the WinINet API.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
Any process that uses the Digest.dll file for Digest authentication may experience this problem even if the process does not use the WinINet API.

For more information about Digest authentication in the WinINet API, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn2.microsoft.com/en-us/library/aa384220.aspx

Keywords: kbprogramming kbauthentication kbtshoot kbprb KB898656

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.