Senthil Kumaran <orsent...@gmail.com> added the comment: Interesting issue. RFC 2617 supports the claim. In RFC 2617, section 3.2.2 The Authorization Request Header, we see that nonce-count is maintained for each particular nonce value and it can used by the server to verify the replays.
""" The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. For example, in the first request sent in response to a given nonce value, the client sends "nc=00000001". The purpose of this directive is to allow the server to detect request replays by maintaining its own copy of this count - if the same nc-value is seen twice, then the request is a replay. """ resetting the nonce_count for each new nonce is the correct thing to do. Patch seems okay and I going ahead with that. We don't have test for HTTPDigestAuth yet, the nonce tests should be a part of that. ---------- resolution: -> accepted _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue4683> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
