Digest: How to validate nonces without user? #71
Comments
|
Why would nonces be user-specific? |
|
I was going to say checking the incrementing nc for that user, but I guess
I could compare it to the cnonce if I store those as pairs. Am I
understanding that properly? Sorry, I have a limited understanding based on
research and the wiki. Thanks!
…On Sep 22, 2017 8:51 PM, "Jared Hanson" ***@***.***> wrote:
Why would nonces be user-specific?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#71 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAsxjb9VnaeA0yz3I9Gydmdfu6F_AQB6ks5slFYWgaJpZM4PhSE5>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the Digest constructor the 1st function passes in the username, which is where you validate the user exists and then pass back the decrypted password. In the 2nd function, you can validate nonces to avoid replay attacks, but the only parameter passed in, beside the
donefunction, is theparamsobject containing the nonce, cnonce, nc, and opaque values.I'm not sure how we're supposed to determine which user we're dealing within the nonce validation function. I assume the functions are asynchronous, so theoretically if more than one user is authenticating at the same time, I can't assume that the functions will be synchronously called for the same user and save off the user in a static variable somewhere.
Am I missing something? Thanks.
The text was updated successfully, but these errors were encountered: