Juha Heinanen wrote:
Martin Hoffmann writes:
we came across an issue where a client expects an unexpired nonce to be flaged by the stale=true flag in the Digest Authenticate header field.
is that specified in some rfc or elsewhere?
Yes. RFC 2617, 3.2.1:
stale A flag, indicating that the previous request from the client was rejected because the nonce value was stale. If stale is TRUE (case-insensitive), the client may wish to simply retry the request with a new encrypted response, without reprompting the user for a new username and password. The server should only set stale to TRUE if it receives a request for which the nonce is invalid but with a valid digest for that nonce (indicating that the client knows the correct username/password). If stale is FALSE, or anything other than TRUE, or the stale directive is not present, the username and/or password are invalid, and new values must be obtained.
Regards, Martin