W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2003

Nonce count, digest authentication.

From: Wilfred Nilsen <wilfred.nilsen@cox.net>
Date: Mon, 30 Jun 2003 10:03:55 -0700
Message-ID: <001101c33f29$9761bd80$6401a8c0@windogs>
To: <ietf-http-wg@w3.org>

I have some problems with implementing Digest Authentication for a
small web-server.  I do not know how many browsers support Digest
Authentication.  It seems like Mozilla and IE is supporting some of
the features, although they do not seem to implement preemptive
authorization.



The way I do it is to store the local 'nonce counter' in a session
object and increment the value every time I get a request.  I keep 3
{nonce, nc} pairs.  This is to prevent 'nonce' mismatch if the client
implements preemptive authorization and the client pipelines the
requests.  I simply search for the correct {nonce, nc} pair by
comparing the local nonce with the client nonce.  I then increment the
'nc' value for the {nonce, nc} pair that matches the client nonce.



The problem is that the client sometimes skips a 'nc' value.  For
example, the server and client nonce count matches say to the value
00000016, but then the next value from the client is 00000018?



I see this problem with both Mozilla and IE.



Thanks,

Wilfred
Received on Monday, 30 June 2003 13:01:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:23 GMT