[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] Digest authentication nonce uniqueness

From: Evgeny Grin
Subject: Re: [libmicrohttpd] Digest authentication nonce uniqueness
Date: Thu, 13 Jan 2022 20:43:01 +0300
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1

Hi Ahmet,

Thank for the report.
I see some mistakes in our example (related to API complexity that should be improved soon), but these mistakes shouldn't break the example.
nonce should be unique and it will be fixed.

I'll check it deeper.

In the meantime, any additional information and patches are welcome. :)


On 10.01.2022 18:56, Ahmet Kermen wrote:
Hi all,

Trying to implement digest authentication by following the sample code “digest_auth_example.c” from " <>”.

For simple requests everything works fine without any issue.

When I try to send requests concurrently, some of them always fail, even two concurrent requests.

Still not sure exact reason why concurrent handling is not working, but at this point only clue I have for the issue appears to be “nonce” value of the authentication header being not unqiue for each (independent) request. This behaviour seems to be not compliant with RFC2617 <> and RFC7616 <> both state “nonce" values should be uniquely generated each time a 401 response is made while the values generated by libmicrohttpd are only unique for each second (by the “MHD_monotonic_sec_counter" function).

By the way the NONCE_NC_SIZE value is set to very large value to eliminate hash collisions.

When same concurrent test run with digest authentication implementation for popular frameworks (for Flask from <>, for Node.js from <>, for httbin from <>) they all seem to produce unique “nonce” values and handle concurrent requests wihtout any issue.

Please correct me If I’m wrong and missing something about the "nonce” value handling or it being source of the isssue.

Best regards,
Ahmet Kermen

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]