Oracle iPlanet Web Server Returns "stale"="true" Flag to Client for Failed Digest Authentication
Last updated on NOVEMBER 05, 2016
Applies to:Oracle iPlanet Web Server - Version 6.1 and later
Information in this document applies to any platform.
***Checked for relevance on 15-Aug-2013***
HTTP Digest authentication is enabled on Oracle iPlanet Web Server 6.1 for protecting web services deployed on specific URI. Access control enforced by digest authentication works properly with HTTP GET and POST methods when correct user credential is provided. But when incorrect user credential is provided with POST method, the web server denies the access, which is as expected, and also sets "stale" flag to "true" in the response. The web server should not have set "stale" to true, as a "true" value may cause client sending the request again and again and goes into a loop. RFC 2617 has detailed explanation on the "stale" flag:
A flag, indicating that the previous request from the client was rejected because the nonce value was stale. If stale is TRUE (case-insensitive), the client may wish to simply retry the request with a new encrypted response, without reprompting the user for a new username and password. The server should only set stale to TRUE if it receives a request for which the nonce is invalid but with a valid digest for that nonce (indicating that the
client knows the correct username/password). If stale is FALSE, or anything other than TRUE, or the stale directive is not present, the username and/or password are invalid, and new values must be obtained."
Based on above RFC, when setting stale to true, the web server should also set a new nonce.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms