HTTP authentication, request received in quick succession
HTTP request may be received in quick succession, for avoiding re-running the while protocol for each request, the server nonce may be re-used (timestamp for nonce to determine the window in which client开发者_开发问答 request are valid) by the client for multiple requests.
What are pros and cons using this method?
The pros of re-using a nonce are that it does take less resources for maintaining and checking valid nonces and can avoid authentication failures for pipelined requests:
[…] the method chosen for generating and checking the nonce also has performance and resource implications. For example, a server may choose to allow each nonce value to be used only once by maintaining a record of whether or not each recently issued nonce has been returned and sending a next-nonce directive in the Authentication-Info header field of every response. This protects against even an immediate replay attack, but has a high cost checking nonce values, and perhaps more important will cause authentication failures for any pipelined requests (presumably returning a stale nonce indication).
However, the cons are that replay attacks are more probable than with one-time nonces:
For applications where no possibility of replay attack can be tolerated the server can use one-time nonce values which will not be honored for a second use. This requires the overhead of the server remembering which nonce values have been used until the nonce time- stamp (and hence the digest built with it) has expired, but it effectively protects against replay attacks.
精彩评论