Re: Interop issue: how can clients force authentication?

Am Mittwoch den, 18. September 2002, um 04:10, schrieb Lisa Dusseault:

> [...]
> Can anybody come up with other clever ways for the client to try to
> authenticate?  E.g. is it possible for a client to send a reasonable
> Digest authentication header with its first request (probably a
> PROPFIND, but whatever method happens to be first), and if the
> information therein (e.g. realm) is bad, the server responds with the
> WWW-Authenticate header with the correct prompting?  That doesn't quite
> solve Ilya's performance problem, but perhaps the HTTP 1.1. Continue
> mechanism would solve that specific issue.

As someone on the list already pointed out, the client cannot
guess a valid Digest Authentication header. It's one main strength
of digest authentication that the client is not able to do this.
Otherwise an attacker might be able to use a replay attack.

I'm not sure however what a server will do upon seeing a nonsense
Authenticate header from the client. Will it always send a challenge
back? (Unfortunately we cannot make this a requirement in WebDAV
since this belongs in another RFC).


Received on Wednesday, 18 September 2002 04:32:51 UTC