[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-janitors] Re: #401: authorization header parsing for digest aut
From: |
Chicken Trac |
Subject: |
[Chicken-janitors] Re: #401: authorization header parsing for digest authentication (intarweb) |
Date: |
Tue, 28 Sep 2010 17:36:49 -0000 |
#401: authorization header parsing for digest authentication (intarweb)
-------------------------+--------------------------------------------------
Reporter: daishi | Owner:
Type: defect | Status: new
Priority: critical | Milestone: 4.7.0
Component: extensions | Version: 4.6.x
Resolution: | Keywords: spiffy intarweb
-------------------------+--------------------------------------------------
Comment(by sjamaan):
How are you using this? Are you writing an authentication server or using
http-client?
Before applying this, I'd like to see some code that uses this in practice
so I can see it working. Nonce count is fundamentally a number, so I
don't see why it needs to be kept around in string form.
When generating or checking the digest value we can always convert it to a
string (it's a string of 8 hexdigits), but its native "type" is number.
The idea of the nonce count is you keep around the last value and compare
it to the current number. Only if it is a higher number should the request
be allowed (otherwise it's a reply attack). If it's kept around as a
string, you'll need to convert it back to a number anyway.
--
Ticket URL: <http://bugs.call-cc.org/ticket/401#comment:1>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.