[SR-Users] people complain Kamailio not handling stale nonce correctly
Juha Heinanen
jh at tutpro.com
Wed Jul 3 07:36:46 CEST 2019
Daniel-Constantin Mierla writes:
> If I haven't missed something, Juha said it is not good to ask the user
> again for introducing the password in the (soft)phone app. The hashed
> response (with nonce, realm, password) has to be sent always over the
> network, no matter the stale parameter value. So it is just the
> inconvenience of the person to type the password, it doesn't impact at all
> what is sent over the network.
I tried to say that if UA send REGISTER request that includes
Authorization header and gets back 401 WWW-Authenticate header without
stale=true, the UA MUST ask the user to enter authentication
username/password again, even when there is nothing wrong with them.
In practice that is in many cases impossible, e.g., when the UA is
in user's pocket. That is why it important that the server includes the
flag in 401 response.
-- Juha
More information about the sr-users
mailing list