3 Jul
2019
3 Jul
'19
7:36 a.m.
Daniel-Constantin Mierla writes:
If I haven't missed something, Juha said it is not
good to ask the user
again for introducing the password in the (soft)phone app. The hashed
response (with nonce, realm, password) has to be sent always over the
network, no matter the stale parameter value. So it is just the
inconvenience of the person to type the password, it doesn't impact at all
what is sent over the network.
I tried to say that if UA send REGISTER request that includes
Authorization header and gets back 401 WWW-Authenticate header without
stale=true, the UA MUST ask the user to enter authentication
username/password again, even when there is nothing wrong with them.
In practice that is in many cases impossible, e.g., when the UA is
in user's pocket. That is why it important that the server includes the
flag in 401 response.
-- Juha