W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2003

Nonce count, digest authentication.

From: Wilfred Nilsen <wilfred.nilsen@cox.net>
Date: Mon, 30 Jun 2003 10:03:55 -0700
Message-ID: <001101c33f29$9761bd80$6401a8c0@windogs>
To: <ietf-http-wg@w3.org>

I have some problems with implementing Digest Authentication for a
small web-server.  I do not know how many browsers support Digest
Authentication.  It seems like Mozilla and IE is supporting some of
the features, although they do not seem to implement preemptive

The way I do it is to store the local 'nonce counter' in a session
object and increment the value every time I get a request.  I keep 3
{nonce, nc} pairs.  This is to prevent 'nonce' mismatch if the client
implements preemptive authorization and the client pipelines the
requests.  I simply search for the correct {nonce, nc} pair by
comparing the local nonce with the client nonce.  I then increment the
'nc' value for the {nonce, nc} pair that matches the client nonce.

The problem is that the client sometimes skips a 'nc' value.  For
example, the server and client nonce count matches say to the value
00000016, but then the next value from the client is 00000018?

I see this problem with both Mozilla and IE.


Received on Monday, 30 June 2003 13:01:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:36 UTC