PHP Classes

Digest nonce reuse

Recommend this page to a friend!

      Simple Authentication and Security Layer  >  All threads  >  Digest nonce reuse  >  (Un) Subscribe thread alerts  
Subject:Digest nonce reuse
Summary:Is it possible to reuse the nonce with Digest Authentication?
Messages:3
Author:Louis-Charles
Date:2009-03-25 15:30:44
Update:2009-03-26 15:45:42
 

  1. Digest nonce reuse   Reply   Report abuse  
Picture of Louis-Charles Louis-Charles - 2009-03-25 15:30:45
I have written a PHP client that access a REST web service that require Digest Authentication.

While stressing the server, I notice on the server log that every request ask for Authentication (401). Then the correct call is done.

If I test the web service with Firefox, the first request ask for Authentication and subsequent requests use the same nonce and are successful. There's an expiration for the nonce and after a few requests a new nonce is return by the server.

When Digest Authentication is detected, is it possible to reuse the last nonce by default when sending another request?


  2. Re: Digest nonce reuse   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2009-03-25 23:58:34 - In reply to message 1 from Louis-Charles
I think that is possible but I would need to study the logic of reuse of authorization responses.

Meanwhile you can just take a look at the Authorization request header generated by the class and add it to the request headers instead of specifying the authentication credentials.

  3. Re: Digest nonce reuse   Reply   Report abuse  
Picture of Louis-Charles Louis-Charles - 2009-03-26 15:45:42 - In reply to message 2 from Manuel Lemos
Good, this part is working.

What I did in my wrapper class.

private $lastAuthorizationHeader = "";
...

$arguments["Headers"]["Authorization"] = $this->lastAuthorizationHeader;
$this->http->SendRequest( $argument );
...
$error = $this->http->ReadReplyHeaders($headers); // this is where the Authorization header is set
...
$this->lastAuthorizationHeader = $this->http->request_headers["Authorization"];

So this is working if you do several requests to the same uri. That's what I come through in my stress test with bulk insert (POST) of data to the same uri.

Thank you for your quick answer.