Right now we do not verify the nonce using in digest. This means that an attacker can replay the response from another site or section on the web site if
-> the users username+password is the same across the site. -> the realm name is the same
Unfortunately that is often the case (and for the real, there is a lot of DAV and webdav out there).
Below somewhat addresses that by veryfing that the nonce is actually our own.
This doesn't appear to check that the timestamp is anywhere near now, which would prevent same-site replays...
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
