what if you get nonce="", is that good enough? would it be more correct to check:
qr/nonce="[^"]+"/,
yeah, I thought about that. but then I thought that I'm not so sure that I care that nonce is implemented properly as I am that it appears at all - having a nonce field indicates that ap_note_digest_auth_failure was called, while checking the nonce value indicates that it was called and the underlying implementation is implementing a correct nonce scheme.
as an aside, I don't see anything in the RFCs that indicate that nonce="" is invalid - 2617 hints that some nonce choices are better than others, but I'm not entirely certain that it can't be just an empty string and be RFC compliant. from a technical standpoint it certainly can be - the digest mechanism would compute the same digest so long as both parties agreed to use "" as the nonce. so I guess I'm saying that I don't know whether nonce="" is valid or not, but I might think so.
anyway, either way is fine with me - I don't feel strongly one way or the other so feel free to change it to the above regex if you like, since it would certainly be odd to find nonce="" which would indicate that something may have changed over in mod_auth_digest.c.
Sure, I haven't read the RFC so if that's what it says, then let's keep it as is. Thanks for checkingt that, Geoff.
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
