HTTP Digest intermittent log-in pop-up

[mogsie]

I'm not 100% sure but sometimes, with server and client on the same machine, I get log-in dialog boxes. I traced the problem (possibly) to out-of-order nonces when requests were fired by the browser in quick succession (simply an HTML page with elements).

I can trigger the problem by having a web page and associated images (3 images is enough to trigger it) that are digest protected, and using a browser to access the web page.

If I add latency of 100ms or so between the new requests (using javascript), then all requests work fine.

I'm not sure if this is really the case (out-of-order nonces) since I've seen seeminlgy in-order nonces (from the browser's point of view) fail. When I add a console.log of req.header.authorization, I see that when the nc are in-order, everything is good, and that when the nc are out-of-order, I get the 401 login prompt.

[mogsie]

It seems I can fix it by keeping a cache of all used nonces, but that seems like an enormous memory leak to me.

If I change e.g. the elements of the this.nonces[] array to be "arrays of co.nc" instead of just the "last" nonce count then I don't get the problem even when the browser passes out-of-order nonces.

[gevorg]

Thanks for reporting I will reproduce issue and let you know.

Gevorg.

[gevorg]

I have fixed the issue, by adding STALE option. Fix is committed to git and published to npm with 1.2.2 version.

Gevorg.

[mogsie]

Thanks. Will test it immediately!

[mogsie]

It works perfectly :-) The occasional 401 I now see doesn't cause browsers to pop up a dialog box. Sweet!