Skip to content


Subversion checkout URL

You can clone with
Download ZIP


HTTP Digest intermittent log-in pop-up #16

mogsie opened this Issue · 5 comments

2 participants


I'm not 100% sure but sometimes, with server and client on the same machine, I get log-in dialog boxes. I traced the problem (possibly) to out-of-order nonces when requests were fired by the browser in quick succession (simply an HTML page with elements).

I can trigger the problem by having a web page and associated images (3 images is enough to trigger it) that are digest protected, and using a browser to access the web page.

If I add latency of 100ms or so between the new requests (using javascript), then all requests work fine.

I'm not sure if this is really the case (out-of-order nonces) since I've seen seeminlgy in-order nonces (from the browser's point of view) fail. When I add a console.log of req.header.authorization, I see that when the nc are in-order, everything is good, and that when the nc are out-of-order, I get the 401 login prompt.


It seems I can fix it by keeping a cache of all used nonces, but that seems like an enormous memory leak to me.

If I change e.g. the elements of the this.nonces[] array to be "arrays of" instead of just the "last" nonce count then I don't get the problem even when the browser passes out-of-order nonces.

@mogsie mogsie referenced this issue

Fix for issue #16 #17


Thanks for reporting I will reproduce issue and let you know.


@gevorg gevorg referenced this issue from a commit
@gevorg Fixing issue #16. ff2f491

I have fixed the issue, by adding STALE option. Fix is committed to git and published to npm with 1.2.2 version.


@gevorg gevorg closed this

Thanks. Will test it immediately!

@mogsie mogsie referenced this issue from a commit in mogsie/http-auth
@mogsie mogsie Revert "Fixes issue 18, but introduces a memory leak (the nonce count…
…s). They do expire after a while, but the overhead might be problematic if you have too many requests."

This reverts commit f2c1aa7.

Issue #16 solved in a much more elegant way

It works perfectly :-) The occasional 401 I now see doesn't cause browsers to pop up a dialog box. Sweet!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.