Send random cnonce for HTTP Digest requests #630

Merged
merged 4 commits into from Aug 16, 2013

Projects

None yet

3 participants

@wprl
Contributor
wprl commented Aug 16, 2013

My real problem is that passport-http interprets cnonce="" as an undefined cnonce.

From my understanding of cnonce, it is best to send a random cnonce with every request to make it harder to use a rainbow-table based attack against the hash.

So, I offer this patch in the hopes of solving my original problem, while also making request's digest implementation more complete.

Cheers,
William

@mikeal mikeal merged commit 21a6357 into request:master Aug 16, 2013
@sberryman

Any chance of publishing a new version with these changes?

I'm also experiencing a problem when a server is returning:
qop="auth, auth-int"

Full header:
'www-authenticate': 'Digest realm="XXX", nonce="XXX", qop="auth, auth-int"'

It only appears to work when I use qop="auth" in the authHeader, If I leave qop="auth, auth-int" it will fail every time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment