On Tuesday 24 November 2015 18:32:49 Alexandru Covalschi wrote:
Now I'm seeking help with such question - as I understand, currently anyone can register or auth his requests by using same Authorization header for all purposes. So, I mean, someone can grab Auth header from the user's packet and just use it to dig in the server. How to avoid that? As I understood it's implemented in Kamailio. Can you please tell me? Or give a link to RFC/doc where this is described? As I understood, I'll need to implement that in my script, or maybe I can use some built-it functions?
That is what the nonce in the challenge/response is for.
https://tools.ietf.org/html/rfc2617#section-4.3
You'll have to handle that in your script. You have to check how often kamailio generates new nonces: http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.nonce_count http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.one_time_non... since you might decline a response in your script but have the www_challenge producte the same challenge to the client.