The previous fix was not yet OK since it never forced a new nonce.
The change below should be safer since a new nonce is forced after
its lifetime expired. I hope I understood the "stale" parameter
correctly now.
in (OverbyteIcs)HttpSrv.pas,
function THttpConnection.AuthDigestGetParams: Boolean;
..
daAuthInt:
if FAuthDigestQop <> 'auth-int' then
Exit;
daBoth:
{ whatever it is }
end;
// FAuthDigestStale := TRUE; <== outcommented
..
if (LastTime + t1) > t2 then
begin <== added
Result := TRUE;
FAuthDigestStale := TRUE; <== added
end; <== added
end;
and in
procedure THttpConnection.AuthCheckAuthenticated;
..
else if AuthType = atDigest then begin
FAuthDigestBody := '';
FAuthenticated := AuthDigestGetParams;
if FAuthenticated then begin
PasswdBuf := #0;
TriggerAuthGetPassword(PasswdBuf);
FAuthenticated := AuthDigestCheckPassword(PasswdBuf);
if (not FAuthenticated) and FAuthDigestStale then <== added
FAuthDigestStale := FALSE; <== added
TriggerAuthResult(FAuthenticated);
end;
end
..
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
