[sr-dev] Stale nonce for Authentication

Martin Hoffmann martin.hoffmann at telio.ch
Sat May 28 08:21:18 CEST 2011


Juha Heinanen wrote:
> 
> what was the conclusion regarding your stale nonce param patch?

My plan was to eventually start a branch of my own in git. Haven't
gotten round to it yet.

> i would do it so that if www or proxy_authorize function returns -4
> (stale nonce) then i would call www or proxy_challenge with stale flag
> on.  it would then cause stale=true to be added to the header.

That would be an option, too, but IMHO it makes the whole authorization bit
in the config unnecessarily messy. My idea was that if the nonce is
stale, *_challenge just adds the stale flag. I only added the flag bit
to maintain backwards compatibility (if you don't set it, the module
behaves as it always did) and as a quick way out if my patch blows up.

> i don't understand why your patch calls pre_auth, since the request was
> already authenticated and it failed due to stale nonce.

I use pre_auth to find the relevant auth_body_t which will include
information whether the nonce was stale. This part should probably be
factored out if we intend to use this patch or a derivate of it as the
default behaviour.

Best regards,
Martin



More information about the sr-dev mailing list