> what if you get nonce="", is that good enough? would it be more correct > to check: > > qr/nonce="[^"]+"/,
yeah, I thought about that. but then I thought that I'm not so sure that I care that nonce is implemented properly as I am that it appears at all - having a nonce field indicates that ap_note_digest_auth_failure was called, while checking the nonce value indicates that it was called and the underlying implementation is implementing a correct nonce scheme. as an aside, I don't see anything in the RFCs that indicate that nonce="" is invalid - 2617 hints that some nonce choices are better than others, but I'm not entirely certain that it can't be just an empty string and be RFC compliant. from a technical standpoint it certainly can be - the digest mechanism would compute the same digest so long as both parties agreed to use "" as the nonce. so I guess I'm saying that I don't know whether nonce="" is valid or not, but I might think so. anyway, either way is fine with me - I don't feel strongly one way or the other so feel free to change it to the above regex if you like, since it would certainly be odd to find nonce="" which would indicate that something may have changed over in mod_auth_digest.c. --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
