24 Nov
2015
24 Nov
'15
6:54 p.m.
On Tuesday 24 November 2015 18:32:49 Alexandru Covalschi wrote:
Now I'm seeking help with such question - as I
understand, currently anyone
can register or auth his requests by using same Authorization header for
all purposes. So, I mean, someone can grab Auth header from the user's
packet and just use it to dig in the server.
How to avoid that? As I understood it's implemented in Kamailio. Can you
please tell me? Or give a link to RFC/doc where this is described? As I
understood, I'll need to implement that in my script, or maybe I can use
some built-it functions?
That is what the nonce in the challenge/response is for.
https://tools.ietf.org/html/rfc2617#section-4.3
You'll have to handle that in your script. You have to check how often
kamailio generates new nonces:
http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.nonce_count
http://kamailio.org/docs/modules/devel/modules/auth.html#auth.p.one_time_no…
since you might decline a response in your script but have the www_challenge
producte the same challenge to the client.