[sr-dev] [Kamailio] Why is the nonce expiry checked so late?
Alex Hermann
alex at speakup.nl
Tue Nov 17 16:16:30 CET 2009
On Tuesday 17 November 2009, Alex Hermann wrote:
> Why is the nonce expiry checked in post_auth instead of pre_auth? Now the
> expiry is checked after the username/password is checked against the DB.
> That seems a bit odd.
>
> I moved the check to check_nonce (which is called from pre_auth) and it
> seems to work fine. Did I miss something? Security issue?
Also the nonce reusage check is in post_auth. Why not check it before DB
access is done?
Here's the patch by the way.
--
Greetings,
Alex Hermann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check-nonce-expires-early
Type: text/x-diff
Size: 1937 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20091117/ccfa485e/attachment.diff>
More information about the sr-dev
mailing list