[SR-Users] Grab users password from WWW-Auth header

Daniel Tryba d.tryba at pocos.nl
Tue Nov 24 17:54:50 CET 2015


On Tuesday 24 November 2015 18:32:49 Alexandru Covalschi wrote:
> Now I'm seeking help with such question - as I understand, currently anyone
> can register or auth his requests by using same Authorization header for
> all purposes. So, I mean, someone can grab Auth header from the user's
> packet and just use it to dig in the server.
> How to avoid that? As I understood it's implemented in Kamailio. Can you
> please tell me? Or give a link to RFC/doc where this is described? As I
> understood, I'll need to implement that in my script, or maybe I can use
> some built-it functions?

That is what the nonce in the challenge/response is for.

https://tools.ietf.org/html/rfc2617#section-4.3

You'll have to handle that in your script. You have to check how often 
kamailio generates new nonces:
http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.nonce_count
http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.one_time_nonce
since you might decline a response in your script but have the www_challenge 
producte the same challenge to the client.



More information about the sr-users mailing list