Bug 54637 - Digest: secret not used
Summary: Digest: secret not used
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth_digest (show other bugs)
Version: 2.4.4
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-03-05 08:30 UTC by nicolas.daniels
Modified: 2018-02-16 13:49 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description nicolas.daniels 2013-03-05 08:30:53 UTC
Not sure this is a bug but nobody is replying me on user mailing list, so I filled it here.

I've been trying digest authentication for a while now and just noticed a strange behavior when working on cluster.

Actually I've 2 apaches behind a load balancer (so serving same domain), and I noticed that an authentication sent to apache A is valid when sent on apache B.
Let me explain:

1. My client connects to Apache A, it receives an authentication required with a nonce (valid for 1h).
2. My client authenticate itself on Apache A using the received nonce
3. Few minutes later, the same client issues another request directly using the nonce already received, but the request goes on Apache B ---> No problem the nonce is valid !

Looking at the code, it seems everything is done to prevent this by using a randomly generated secret in the nonce hash.

However, debugging a bit it seems the nonce_ctx initialization is performed BEFORE the secret initialization, so it is always initialized with the same empty secret and generated nonce are valid everywhere.

So basically, in mod_auth_digest.c, set_realm function is called before initialize_secret.

Actually this behavior fit my needs for now but I wanted to know if it is a desired behavior, if it is a bug and if it might change in future version ?

I checked this on apache 2.4.2 and 2.4.4 under unbuntu.
Comment 1 Stefan Fritsch 2013-06-12 19:34:52 UTC
trunk commit: r1492395
Comment 2 Graham Leggett 2018-02-16 13:49:01 UTC
Fixed in v2.4.30.