This doesn't appear to check that the timestamp is anywhere near now, which would prevent same-site replays...
Correct - the trouble with timestap checks is that ?most/some? browsers will NOT cache the password the user has entered; but the 'response' (i.e. nonce+realm+password). So if one sets a 5 minute time out on the time stamp - then users will be prompted for a password every 5 minutes or so.
That's crap. So, we should do it right and get the browsers fixed.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff