- From: Scott Lawrence <scott-http@skrb.org>
- Date: Wed, 02 Jul 2003 07:25:12 -0400
- To: "Wilfred Nilsen" <wilfred.nilsen@cox.net>
- Cc: <ietf-http-wg@w3.org>
"Wilfred Nilsen" <wilfred.nilsen@cox.net> writes: > I have some problems with implementing Digest Authentication for a > small web-server. I do not know how many browsers support Digest > Authentication. It seems like Mozilla and IE is supporting some of > the features, although they do not seem to implement preemptive > authorization. They both implement it, though the IE implementation still does not include the query string in the hash as a part of the URL, so it will fail for any request with a query string unless you make allowances for that. > The way I do it is to store the local 'nonce counter' in a session > object and increment the value every time I get a request. I keep 3 > {nonce, nc} pairs. This is to prevent 'nonce' mismatch if the client > implements preemptive authorization and the client pipelines the > requests. I simply search for the correct {nonce, nc} pair by > comparing the local nonce with the client nonce. I then increment the > 'nc' value for the {nonce, nc} pair that matches the client nonce. > The problem is that the client sometimes skips a 'nc' value. For > example, the server and client nonce count matches say to the value > 00000016, but then the next value from the client is 00000018? That's valid behaviour in the client; there is no requirement that they be used in strict order - only that each value be used only once. This is because if you have multiple connections to the server open and/or if you are going through proxies, you can't ensure what the order of delivery to the origin server will be. I suggest recording which nc values you have seen for any given nonce, and not allow reuse (I used a bit mask), but do not try to enforce ordering. -- Scott Lawrence http://skrb.org/scott/ [ <lawrence@world.std.com> is deprecated ]
Received on Wednesday, 2 July 2003 07:25:23 UTC