0

In RFC7616 for Digest Authentication, the nonce count (nc) is described as

The nc value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request.

and in the same RFC, the explanation for nonce states that:

A server-specified string which should be uniquely generated each time a 401 response is made.

What I don't understand from the RFC is under which circumstances the same nonce is ever used again in a response that required the nonce count to ever be incremented.

Any explanation?

schroeder
  • 123,438
  • 55
  • 284
  • 319
GalSuchetzky
  • 113
  • 5
  • 1
    This is covered by the wiki I sent yesterday, too. 401 response only happens when the client doesn't send the auth header. Section 3.3 of the link you provided: "If a server receives a request for an access-protected object, and an acceptable Authorization header field is not sent, the server responds with a "401 Unauthorized" status code". It also explains why there is a count and not just the nonce. – schroeder Sep 05 '22 at 13:33

0 Answers0