Martin Hoffmann writes:
> My plan was to eventually start a branch of my own in git. Haven't
> gotten round to it yet.
>
> > i would do it so that if www or proxy_authorize function returns -4
> > (stale nonce) then i would call www or proxy_challenge with stale flag
> > on. it would then cause stale=true to be added to the header.
>
> That would be an option, too, but IMHO it makes the whole authorization bit
> in the config unnecessarily messy.
why is that? i now have,
if (!radius_proxy_authorize("$var(uri_domain)", "$var(uri_user)")) {
switch ($rc) {
...
case -4:
xlog("L_INFO", "$rm <$ru> by <$var(uri)> has stale nonce\n");
www_challenge("$td", "1");
exit;
the only thing i would need to change is www_challenge flag parameter
value from "1" to "9".
currently README says:
1.4.2. www_challenge(realm, flags)
...
* flags - Value of this parameter can be a bitmask of following:
+ 1 - build challenge header with qop=auth
+ 2 - build challenge header with qop=auth-int
+ 4 - do not send '500 Internal Server Error' reply
automatically in failure cases (error code is returned to
config)
so i propose adding this:
+ 8 - build challenge header with stale=true
it would be a simple, fully backwards compatible new feature.
-- juha