[Solved] Security issues with Digest Authentication
With Digest Authentication i observed that if we send Authorization header with some random nonce & corresponding response , lighttpd gives 200 OK. While in case of Apache , it says STALE = TRUE flag indicating that nonce was stale.
But Lighttpd does not compare incoming nonce & nonce what it has generated...
Which gives security threat & reply attacks if hacker can get realm from server ...
I want to implement it ...or does somebody already noticed it...(some hints)?
RE: Security issues with Digest Authentication - Added by darix about 14 years ago
this is even documented in the mod_auth documentation.