0

Simply put, the digest authentication goes as follows:

  1. The user tries to access some resource that requires authentication.
  2. The server responds with 401 and the www-authenticate header.
  3. The client responds with a request that includes the authentication header and the required fields.
  4. The server allows the user access to the resource.

My question is, how does the user authenticate to any other resource? does the server set a cookie with the sessionID or something or the user has to send the authenticate header with every subsequent request?

Improve this question
3
  • 1
    Have you looked this up? Looked up the RFC? Read any of the articles online? Read the wiki on the topic? en.wikipedia.org/wiki/… Commented Sep 4, 2022 at 8:17
  • yes, yes I did. The RFC nor the articles on msdn, mdn explain what happens after the authentication is completed (maybe they do but I couldn't find it) and the wikipedia example doesn't explain it either. I want to know what happens after the authentication is complete, not the steps for the authentication itself. Commented Sep 4, 2022 at 9:35
  • Wiki addresses this specifically. There's a whole paragraph at the end of the section I linked... Commented Sep 4, 2022 at 10:12

1 Answer 1

Reset to default
2

does the server set a cookie with the sessionID or something or the user has to send the authenticate header with every subsequent request?

(Thanks to schroeder for pointing out) The standard RFC 2617 describes a nonce-count as a protection against replays:

The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request.

By increasing this counter the client could use the same nonce from the server for further requests, i.e. without sending an unauthenticated request first and then extracting the new nonce from servers 401 response.

In general, basic authentication and digest authentication are rarely used in the context of session using web applications anyway because they are too limited in terms of security (like no 2FA) and usability and branding (fixed user interface which cannot be customized).

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.