Menu
▾
▴
Re: [Cart-users] RE: Cart-users digest, Vol 1 #26 - 4 msgs
|
From: Dave D. <dr...@cr...> - 2004-11-23 16:35:22
|
On Nov 10, 2004, at 6:39 PM, Jeffery A. Brush wrote: > Dave wrote: > >> Rigorous testing digest authentication would be nice. I can't tell >> you how >> many times I get questions regarding digest auth and problems some >> client >> writers tend to have. > > This is part of the reason we swapped out our custom code for > HttpClient for > our client API. Do you see this as a client problem or a server > problem? And > any specifics? There's issues on both the client and server, but I was specifically talking about clients being very loose in interpreting the spec. > Things we have run into include: > stale nounce - (We sent a patch to HttpClient fixing this.) > missing qop > confusion about when cookies are returned Other things to include: - Check for increasing nc (nonce count). It should never be repeated or decrease. - Incorrect quotes in Authorization header. Both qop and nc are not supposed to have quotes. But you often see qop="auth" which is incorrect. - Incorrectly matching of uri field to actual URI. I've seen clients put the login URI in the authorization header for every digest Authorization header, even when executing other transactions. - Putting an equals sign in the opaque field (for testing clients) and the cnonce field (for testing servers). Some parsers assume equals only occur between key/value pairs. But you can get equals signs in both opaque and cnonce. - Servers need to handle the case when clients do not set qop. The digest is then calculated differently. And as far as a general HTTP problem I've seen multiple times is incorrectly setting the "Host" HTTP header. Hand-written clients often do not set the port in the Host header. For example, if the client is trying to access: http://rets.example.com:6103/login Then the host header should be as follows: Host: rets.example.com:6103 I've seen many clients forget the port. This confuses some HTTP servers. Hope that helps. -Dave |
