Re: Digest mess

>>>>> "BL" == Ben Laurie <> writes:

BL> The Apache implementation is already marked as not suitable for serious
BL> use, because of the server's vulnerability to a replay. I'm not sure how
BL> to avoid this, except, perhaps, by tying the nonce to the (rough) time
BL> and the URL. Of course, a client nonce doesn't help with this at all,

  I don't believe that I understand this comment - if the server
  always generates an unique nonce how is it vulnerable to a replay?
  Granted, if it doesn't then it has a problem...

BL> Actually, if we could insist that the digest authed request was in the
BL> same keptalive session as the original request, that'd help a lot...

  TCP connections can be hijacked - it doesn't help.

Scott Lawrence           EmWeb Embedded Server       <>
Agranat Systems, Inc.        Engineering  

Received on Tuesday, 6 January 1998 11:26:20 UTC