SHH 2000-05-11
  * When falling back to Basic authentication, allow the user to
    specify "DOMAIN\USERNAME" or "DOMAIN/USERNAME" in addition to just
    "USERNAME".  Extract the DOMAIN, and compare it to the domain
    served.

  * Look for, and fix security holes.  The code seems to be a real
    patchwork from several sources, so I guess there are more bugs in
    there.  We better find the holes before anyone else does.

-------------------------------------------------------------------------------
$Id: TODO,v 1.2 2003/02/21 01:55:13 casz Exp $
-------------------------------------------------------------------------------