W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2003

Re: Nonce count, digest authentication.

From: Scott Lawrence <scott-http@skrb.org>
Date: Wed, 02 Jul 2003 07:25:12 -0400
To: "Wilfred Nilsen" <wilfred.nilsen@cox.net>
Cc: <ietf-http-wg@w3.org>
Message-ID: <u8yrhi31j.fsf@skrb.org>

"Wilfred Nilsen" <wilfred.nilsen@cox.net> writes:

> I have some problems with implementing Digest Authentication for a
> small web-server.  I do not know how many browsers support Digest
> Authentication.  It seems like Mozilla and IE is supporting some of
> the features, although they do not seem to implement preemptive
> authorization.

They both implement it, though the IE implementation still does not
include the query string in the hash as a part of the URL, so it will
fail for any request with a query string unless you make allowances
for that.

> The way I do it is to store the local 'nonce counter' in a session
> object and increment the value every time I get a request.  I keep 3
> {nonce, nc} pairs.  This is to prevent 'nonce' mismatch if the client
> implements preemptive authorization and the client pipelines the
> requests.  I simply search for the correct {nonce, nc} pair by
> comparing the local nonce with the client nonce.  I then increment the
> 'nc' value for the {nonce, nc} pair that matches the client nonce.

> The problem is that the client sometimes skips a 'nc' value.  For
> example, the server and client nonce count matches say to the value
> 00000016, but then the next value from the client is 00000018?

That's valid behaviour in the client; there is no requirement that
they be used in strict order - only that each value be used only
once.  This is because if you have multiple connections to the server
open and/or if you are going through proxies, you can't ensure what
the order of delivery to the origin server will be.

I suggest recording which nc values you have seen for any given nonce,
and not allow reuse (I used a bit mask), but do not try to enforce

Scott Lawrence        
  [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 2 July 2003 07:25:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:36 UTC