[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-janitors] Re: #401: authorization header parsing for digest aut

From: Chicken Trac
Subject: [Chicken-janitors] Re: #401: authorization header parsing for digest authentication (intarweb)
Date: Tue, 05 Oct 2010 18:26:42 -0000

#401: authorization header parsing for digest authentication (intarweb)
  Reporter:  daishi      |       Owner:  sjamaan        
      Type:  defect      |      Status:  closed         
  Priority:  critical    |   Milestone:  4.7.0          
 Component:  extensions  |     Version:  4.6.x          
Resolution:  wontfix     |    Keywords:  spiffy intarweb
Changes (by sjamaan):

  * status:  accepted => closed
  * resolution:  => wontfix


 You say its *purpose* is to authenticate, but its primary purpose is to
 prevent session *replay attacks*. For that, you need to compare the nonce
 count to earlier nonce count values, which is done numerically.

 The fact that the nonce count is also put somewhere in the hash is to
 prevent an attacker from spoofing the nonce count's value.

 I stick with my initial point: it's fundamentally a number, and treating
 it as a string in its native form is just wrong.

Ticket URL: <>
Chicken Scheme <>
Chicken Scheme is a compiler for the Scheme programming language.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]