Please sign in to comment.
Implement more robust nonce handling in Digest authentication.
Shore up some of the implementation gaps we have around nonces. Nonces should expire and should be generated by the server. I've followed the Symfony approach to generating nonces which results in short lived (5 minutes by default) nonces that are regenerated each time the client receives a 401. By validating and requiring nonce rotation we can avoid replay attacks with our Digest authentication implementation. I've targetted 3.next as validating/requiring nonce rotation is a behavior change that I feel could trip up application developers. By including it in a minor release we can more effectively communicate the changes. Refs #9668
- Loading branch information...
Showing with 243 additions and 58 deletions.
Oops, something went wrong.