httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Digest auth - no nonce/replay checking
Date Tue, 16 Dec 2003 22:04:10 GMT

Unless I missed something we nicely issue a nonce during digest auth
(based on r->request_time) - but when the reply comes in with an
(Proxy-)Authenticate header we use the nonce provided by the client; and
do not check if it was any where near reasonably likely that we issued it.

So I guess

->	The release notes and the digest docs should
	propably contain a warning that we are not
	hardnened against certain replay attacks.

->	Long term we propably want to solve this; e.g.
	by using a hash over a static secret or somethign.


View raw message