[users@httpd] Digest: secret not used

[Nicolas Daniels <ni...@bluepimento.eu>]

Hi all,

I've been trying digest authentication for a while now and just noticed 
a strange behavior when working on cluster.

Actually I've 2 apaches behind a load balancer (so serving same domain), 
and I noticed that an authentication sent to apache A is valid when sent 
on apache B.
Let me explain:

1. My client connects to Apache A, it receives an authentication 
required with a nonce (valid for 1h).
2. My client authenticate itself on Apache A using the received nonce
3. Few minutes later, the same client issues another request directly 
using the nonce already received, but the request goes on Apache B ---> 
No problem the nonce is valid !

Looking at the code, it seems everything is done to prevent this by 
using a randomly generated secret in the nonce hash.

However, debugging a bit it seems the nonce_ctx initialization is 
performed BEFORE the secret initialization, so it is always initialized 
with the same empty secret and generated nonce are valid everywhere.

So basically, in mod_auth_digest.c, set_realm function is called before 
initialize_secret.

Actually this behavior fit my needs for now but I wanted to know if it 
is a desired behavior, if it is a bug and if it might change in future 
version ?

I checked this on apache 2.4.2 and 2.4.4 under unbuntu.

Thanks !

-- 
Nicolas Daniels
Blue Pimento Service s.p.r.l.
Rue Louis de Geer 6
B-1348 Louvain-la-neuve
?+32 10 390 014
?+32 498 089 725
Fax. +32 10 390 001

Visit our web site: www.bluepimento.eu <http://www.bluepimento.eu>