Browser support of nextnonce directive in HTTP digest authentication
I've done a C++ based HTTP server (or to rephrase - spilled another drop in the ocean) and encountered an issue with HTTP digest authentication.
According to the HTTP authentication RFC using the nextnonce directive in the Authentication-Info header is a valid way of implementing a single use nonce mechanism. I've done this according to the RFC but both Chrome and Firefox seem to ignore the directive and issue all further requests with the initial nonce thus triggering unneeded 401 responses. An example illustration with Firefox:
First request - my server returns 401 and issues the initial nonce a1f778b2afc8590e4a64f414f663128b
Firefox successfully authenticates and gets a reply with the Authentication-Info: nextnonce="0b72e74afbcab33a5aba05d4db03b801" header
Firefox issues a new request to fetch image from the returned html - still the initial nonce c1587dd7be6251fa715540e0d6121aa5 is used and thus a reply with a new nonce and a flag that the provided nonce is expired is sent back.
Same scenario as for the first image request.
Now authentication succeeds with the new nonce.
The authentication succeeds for the second request as well.
As can be seen in the images - even though I reply with Authentication-Info: nextnonce="0b72e74afbcab33a5aba05d4db03b801" upon a successful authorization on the first request the next two requests still use the original nonce instead of the provided nextnonce value. Has anyone had a similar experience? I am most certainly doing something wrong - even though the RFC says that the client SHOULD reply with the provided nextnonce value and thus it is not mandatory I highly doubt that the most popular browsers do not use this technique.
Looks like it's a known Firefox bug that's been open since 2001.
Bug 150605 - digest authentication problem: Mozilla ignores the nextnonce parameter of Authentication-Info Response Header.
which is a duplicate of
Bug 116177 - next nonce digest auth test fails
- Why does 1.0/100.0 == 0.1/10.0 give True?
- How to organize the receive msg and user current input in C network such that it's clean
- Using inclusive scan syntax in OpenMP in the C language
- Unable to understand context in book "OOP in C" by Axel Schreiner
- How to dereference member from struct in which the definition is hid from user?
- variable-length array in struct with TI compiler in C (socket programming)
- A faster way to test 32bpp DDBs for a valid Alpha channel
- How can I compile the zephyr example-application as a freestanding application?
- Why does my forked process sometimes overwrite data in a file?
- Why in C can I initialize more values than the size of an array?
- _Generic in C needs typecasting?
- Declaring/defining an unused variable changes the output from an unrelated variable
- How to use gdb to explore the stack/heap?
- How can I read an input string of unknown length?
- Confused by difference between expression inside if and expression outside if
- Fast Arc Cos algorithm?
- Discrepancy of `unsigned long` size between llvm and gcc in riscv32
- GCC (C) - error: 'x' redeclared as different kind of symbol
- Why does GCC’s static analyser falsely warn that a pointer to an allocated memory block itself stored in an allocated memory block may leak?
- c language gcc compiler *.i file #3 "" 2 what is this?
- How to make clang compile to llvm IR
- Hashtable implementation in C
- EFI variables or config file on the EFI partition for EFI application?
- Pack high bit of every byte in ARM, for 64 bytes like AVX512 vpmovb2m?
- Calling an external C function (in a shared lib) from Perl with Inline::C does not work
- Can a C program detect if its own source code has been modified?
- Is this declaration UB?
- Eclipse C/C++ how to find variable belongs to which struct quickly
- Is this truly best way to delete last element in C?
- flint/arb.h: No such file or directory