16 Jul
2009
16 Jul
'09
7:18 p.m.
Iñaki Baz Castillo wrote:
2009/7/16 Klaus Darilion klaus.mailinglists@pernau.at:
Iñaki Baz Castillo schrieb:
However, to anounce "stale=true" in 401/407 response the credentials must be verified.
It would be sufficient to check if the nonce is reused, response calculation could be done afterwards
What I mean is that, response calculation should be done even if nonce is reused. If not, there is no way to send "stolen=true" in 401/407.
I do not understand this. If the nonce was already use, the proxy could respond immediately with 407 and "stale=true" without checking the password
regards klaus