[sr-dev] Stale nonce for Authentication
Martin Hoffmann
martin.hoffmann at telio.ch
Wed Apr 27 14:59:24 CEST 2011
Juha Heinanen wrote:
> Martin Hoffmann writes:
>
> > we came across an issue where a client expects an unexpired nonce to be
> > flaged by the stale=true flag in the Digest Authenticate header field.
>
> is that specified in some rfc or elsewhere?
Yes. RFC 2617, 3.2.1:
stale
A flag, indicating that the previous request from the client was
rejected because the nonce value was stale. If stale is TRUE
(case-insensitive), the client may wish to simply retry the request
with a new encrypted response, without reprompting the user for a
new username and password. The server should only set stale to TRUE
if it receives a request for which the nonce is invalid but with a
valid digest for that nonce (indicating that the client knows the
correct username/password). If stale is FALSE, or anything other
than TRUE, or the stale directive is not present, the username
and/or password are invalid, and new values must be obtained.
Regards,
Martin
More information about the sr-dev
mailing list