View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004644 | libmicrohttpd | digest authentication (HTTP) | public | 2016-09-06 13:33 | 2016-10-17 19:21 |
| Reporter | 0xda7aba5e | Assigned To | Christian Grothoff | ||
| Priority | low | Severity | feature | Reproducibility | N/A |
| Status | closed | Resolution | won't fix | ||
| Product Version | 0.9.51 | ||||
| Target Version | 0.9.51 | Fixed in Version | 0.9.51 | ||
| Summary | 0004644: The calculation of nonce-timeout should refer to the last valid usage of a nonce | ||||
| Description | In file "src/microhttpd/digestauth.c" the function "MHD_digest_auth_check" only compares the current time with the timestamp attachted to the nonce and timeout. I guess the timeout should refer to the last valid usage of a nonce. eg timeout is 30 sec: t=0 : nonce created t=1 : request with nc=1 -> auth success t=20: request with nc=2 -> auth success t=31: request with nc=3 -> auth fail due to timeout The last request (nc=3) should respond with auth success until "last valid usage + timeout" is reached. 20+30-1 -> auth success 20+30 -> auth success 20+30+1 -> auth fail - timeout | ||||
| Tags | No tags attached. | ||||
|
|
I've re-read RFC 2617 and I do not see this requirement at all. In fact, RFC 2617 doesn't specify how timeouts are to be implemented, it just suggest that they should be. It would also be expensive to do what you suggest, as right now we encode the time value in the nonce's string specifically so we do NOT have to store it on the server side. This doesn't harm security (as it is part of what will be hashed), and keeping storage cost down on the server side is important. If you are concerned about many authentication failures, you should IMO just use a larger timeout, that will be better than us changing the entire scheme to additionally track the last use of a nonce. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-09-06 13:33 | 0xda7aba5e | New Issue | |
| 2016-09-06 23:16 | Christian Grothoff | Note Added: 0011094 | |
| 2016-09-06 23:16 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2016-09-06 23:16 | Christian Grothoff | Priority | normal => low |
| 2016-09-06 23:16 | Christian Grothoff | Severity | minor => feature |
| 2016-09-06 23:16 | Christian Grothoff | Status | new => feedback |
| 2016-09-06 23:16 | Christian Grothoff | Product Version | => 0.9.51 |
| 2016-10-09 01:52 | Christian Grothoff | Status | feedback => resolved |
| 2016-10-09 01:52 | Christian Grothoff | Fixed in Version | => 0.9.51 |
| 2016-10-09 01:52 | Christian Grothoff | Resolution | open => won't fix |
| 2016-10-09 01:52 | Christian Grothoff | Target Version | => 0.9.51 |
| 2016-10-17 19:21 | Christian Grothoff | Status | resolved => closed |
