View Issue Details

IDProjectCategoryView StatusLast Update
0007755libmicrohttpddigest authentication (HTTP)public2023-03-08 10:13
Reporterakermen Assigned To 
Status newResolutionopen 
Product Version0.9.75 
Summary0007755: Digest authentication nonce uniqueness
DescriptionDigest authentication is working for simple requests bu fails for requests sent concurrently (almost all of if requests are send within a second).

The issue appears to be “nonce” value of the authentication header being not unqiue for each (independent) request. This behavior seems to be not compliant with RFC2617 and RFC7616 both state “nonce" values should be uniquely generated each time a 401 response is made while the values generated by libmicrohttpd are only unique for each second (by the “MHD_monotonic_sec_counter" function).

Digest authentication implementation for popular frameworks (for Flask from, for Node.js from, for httbin from they all seem to produce unique “nonce” values and handle concurrent requests without any issue.

This issue report is follow up from the mailing list thread "".

Steps To ReproduceFollow the steps at the "" repository that was specifically created for reproducing this issue.
Additional InformationTo make values unique, I experimented with basic "mutex wrapped counter mechanism" which appears to working for very limited test scope, but not sure about performance and effect on other parts of the library:

/* global scope */
static int make_digest_unique = 1;
static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;

/* at "MHD_queue_auth_fail_response" function */
make_digest_unique = make_digest_unique + 1;
calculate_nonce ((uint32_t) MHD_monotonic_sec_counter() + make_digest_unique,
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-03-08 10:13 akermen New Issue