On Tue, 2008-12-16 at 16:10 -0500, Arjun Nair wrote: > So, I changed the status server to get the credentials from the > Proxy-Authorization header. If the phone re-subscribes within 5 mins, > the nonce is still valid, and the status server sends back a 202. > However, any re-SUBSCRIBEs after 5mins are turned down with a 401. > And, as was happening before, the phone chokes on the 401.
> Therefore, to work around this problem, SipStatus need to not only > accept credentials from the Proxy-Authorization header, but it also > need to stop checking if the nonce is expired.. No. If that's the best we can do, then we should just stop challenging SUBSCRIBE requests in the first place and punt - allowing an expired nonce permits such an easy replay attack that the whole attempt to protect access to the dialog data is pointless. > Now, the only thing left to check is if the phone hangs on a 407 as well.. Slow down. Only the proxy can send a 407 or use the Proxy-Authorization header. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
