|
Hi all, I've been trying digest authentication for a while now and just noticed a strange behavior when working on cluster. Actually I've 2 apaches behind a load balancer (so serving same domain), and I noticed that an authentication sent to apache A is valid when sent on apache B. Let me explain: 1. My client connects to Apache A, it receives an authentication required with a nonce (valid for 1h). 2. My client authenticate itself on Apache A using the received nonce 3. Few minutes later, the same client issues another request directly using the nonce already received, but the request goes on Apache B ---> No problem the nonce is valid ! Looking at the code, it seems everything is done to prevent this by using a randomly generated secret in the nonce hash. However, debugging a bit it seems the nonce_ctx initialization is performed BEFORE the secret initialization, so it is always initialized with the same empty secret and generated nonce are valid everywhere. So basically, in mod_auth_digest.c, set_realm function is called before initialize_secret. Actually this behavior fit my needs for now but I wanted to know if it is a desired behavior, if it is a bug and if it might change in future version ? I checked this on apache 2.4.2 and 2.4.4 under unbuntu. Thanks ! --
Nicolas Daniels
Blue Pimento Service s.p.r.l. Rue Louis de Geer 6 B-1348 Louvain-la-neuve ☎+32 10 390 014 ☎+32 498 089 725 Fax. +32 10 390 001 Visit our web site: www.bluepimento.eu |
|