• Official comment
    Sergey Yuldashev

    Hello francesco cervellera,

    First of all although I am a Wikipedia fan, when certain operation is under discussion it is always better to refer to some RFC that describes the standard underneath it. In this case it's RFC2069, An Extension to HTTP : Digest Access Authentication

    More specifically, we need to take a closer look at the sections:

    2.1.1 that describes the authentication response header:

    The contents of the nonce are implementation dependent.  The
         quality of the implementation depends on a good choice.

    3.2 that describes the replay attacks and the possible ways of protections:

    The server created "nonce" value is implementation dependent, but if
       it contains a digest of the client IP, a time-stamp, and a private
       server key (as recommended above) then a replay attack is not simple.
       An attacker must convince the server that the request is coming from
       a false IP address and must cause the server to deliver the document
       to an IP address different from the address to which it believes it
       is sending the document.  An attack can only succeed in the period
       before the time-stamp expires.  Digesting the client IP and time-
       stamp in the nonce permits an implementation which does not maintain
       state between transactions.

    This document indeed contains words that some servers could generate one-time nonces but it is never stated it must be this way.

    The nonces generated by Nx Server expire 5 minutes after that. BTW, this information is available in the API documentation:

    Let me know if you have any further questions.

    Comment actions Permalink
  • Avatar
    francesco cervellera

    Thanks for the clarification.

    Comment actions Permalink

Please sign in to leave a comment.