Details
-
Bug
-
Resolution: Done
-
Major
-
1.2.3.Final
-
None
Description
Server sends "stale=true" when invalid nonce is used.
Client should repeat authentication with new nonce, but it ignores it instead.
rfc2831:
If the response is valid, the server MAY choose to deem that
authentication has succeeded. However, if it has been too long since
the previous authentication, or for any other reason, the server MAY
send a new "digest-challenge" with a new value for nonce. The
challenge MAY contain a "stale" directive with value "true", which
says that the client may respond to the challenge using the password
it used in the previous response; otherwise, the client must solicit
the password anew from the user. This permits the server to make sure
that the user has presented their password recently. (The directive
name refers to the previous nonce being stale, not to the last use of
the password.) Except for the handling of "stale", after sending the
"digest-challenge" authentication proceeds as in the case of initial
authentication.
