chicken-janitors
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-janitors] Re: #401: authorization header parsing for digest aut

From: Chicken Trac
Subject: [Chicken-janitors] Re: #401: authorization header parsing for digest authentication (intarweb)
Date: Tue, 28 Sep 2010 17:36:49 -0000 
#401: authorization header parsing for digest authentication (intarweb)
-------------------------+--------------------------------------------------
  Reporter:  daishi      |       Owner:                 
      Type:  defect      |      Status:  new            
  Priority:  critical    |   Milestone:  4.7.0          
 Component:  extensions  |     Version:  4.6.x          
Resolution:              |    Keywords:  spiffy intarweb
-------------------------+--------------------------------------------------

Comment(by sjamaan):

 How are you using this?  Are you writing an authentication server or using
 http-client?

 Before applying this, I'd like to see some code that uses this in practice
 so I can see it working.  Nonce count is fundamentally a number, so I
 don't see why it needs to be kept around in string form.

 When generating or checking the digest value we can always convert it to a
 string (it's a string of 8 hexdigits), but its native "type" is number.
 The idea of the nonce count is you keep around the last value and compare
 it to the current number. Only if it is a higher number should the request
 be allowed (otherwise it's a reply attack). If it's kept around as a
 string, you'll need to convert it back to a number anyway.

-- 
Ticket URL: <http://bugs.call-cc.org/ticket/401#comment:1>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]