[issue4683] urllib2.HTTPDigestAuthHandler fails on third hostname?
Senthil Kumaran
report at bugs.python.org
Sun Nov 15 09:32:47 CET 2009
Senthil Kumaran <orsenthil at gmail.com> added the comment:
Interesting issue. RFC 2617 supports the claim. In RFC 2617, section
3.2.2 The Authorization Request Header, we see that nonce-count is
maintained for each particular nonce value and it can used by the server
to verify the replays.
"""
The nc-value is the hexadecimal count of the number of requests
(including the current request) that the client has sent with the nonce
value in this request. For example, in the first request sent in
response to a given nonce value, the client sends "nc=00000001". The
purpose of this directive is to allow the server to detect request
replays by maintaining its own copy of this count - if the same
nc-value is seen twice, then the request is a replay.
"""
resetting the nonce_count for each new nonce is the correct thing to do.
Patch seems okay and I going ahead with that.
We don't have test for HTTPDigestAuth yet, the nonce tests should be a
part of that.
----------
resolution: -> accepted
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4683>
_______________________________________
More information about the Python-bugs-list
mailing list