httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [patch] digest replay protection
Date Sat, 20 Dec 2003 15:04:21 GMT
Dirk-Willem van Gulik wrote:

>>This doesn't appear to check that the timestamp is anywhere near now,
>>which would prevent same-site replays...
> 
> 
> Correct - the trouble with timestap checks is that ?most/some? browsers
> will NOT cache the password the user has entered; but the 'response' (i.e.
> nonce+realm+password). So if one sets a 5 minute time out on the time
> stamp - then users will be prompted for a password every 5 minutes or so.

That's crap. So, we should do it right and get the browsers fixed.

Cheers,

Ben.


-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message