How does HTTP digest replay attack prevention deal with resent requests? - http

I have a problem where the HTTP client sends a valid settings change request using digest authentication, which is processed by the server, but the request results in a delay of ~1 second in sending the HTTP ACK.
Due to the delay, the client resends the request. Because it's a resend, the nonce count is the same as the original. The server expects the nonce count to increment with each request, and so flags the resent request as a replay attack, and asks the client to reauthenticate.
What is the correct solution to this problem? I don't want to send the ACK before processing the request, because I need to know that the request succeeded before I send a 200 OK message.

Related

Can the client send http request while it is getting the response?

Can the HTTP client send a request while receiving the HTTP response?
For example, a client sends HTTP request A to server. Then, the server starts to send HTTP response. Before the client finish to receive HTTP response A, the client sends additional request B. Can it be possible? or Does it follow the HTTP RFC?
I think that above scenario is different from the pipelining. What I know about the pipelining is the scenario that client send multiple request A,B,C then the server response A,B,C consecutively. However, in the above scenario, request B is issued while the processing the response A.
Thank you
With the same connection object you must read the whole response before you can send a new request to the server, because response provides access to the request headers, return type and the entity body, If you send new request before fully reading response, client may get confused with mismatched responses.
Again it totally depends upon client library you using. Library could allow asynchronous requests.
There are concepts like
AsyncTask in android, promis in Angularjs etc.
allow asynchronous request.

"Expect: 100-Continue" and... how a server tell the client it wish to receive the body and discard it?

HTTP Protocol: http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-26.html#header.expect
A server that responds with a final status code before reading the entire message body SHOULD indicate in that response whether it intends to close the connection or continue reading and discarding the request message
If the server wish to close the connection it will include "Connection: close" in his response. But how can it tell the client it wish to continue reading and discarding the body ? I don't know any header to do that.
And if it receive the body and discard it, this doesnt mean that "100-Continue" is useless ? That's the whole point of "100-Continue", not sending the body if it will be rejected anyway.
When the server sends its final reply, it has finished processing the request. If the server sends that reply while the client is still sending its data, the client should stop sending, and then the presense of an HTTP keep-alive (an explicit Connection: keep-alive header in an HTTP 1.0 reply, or a missing Connection: close header in an HTTP 1.1 reply) is the server's indication that it will be discarding any remaining data that is sent, since it needs to clear the socket of pending data before it can receive a new request on the same connection.
The 100-Continue is not useless. Think of what happens when the server sends 100 to let the client start sending, then later errors and decides to stop receiving and send a final reply reporting the error. The server did not know at the start of the request that it was going to error.

Netty Client sending Keep Alive HTTP request

I am creating a Netty Client which sends HTTP request to POST data to server.To increase the performance what i did was using Keep alive Http request(i know that in HTTP 1.1 all requests are keep alive by default, so i am making sure that Connection header is not set to close while sending the Http request) so that it uses the same channel to send the Http Request. Now when i send the Http request to the correct URL,i.e. if i get HttpResponse Status OK in return from server, i am able to send the next Http Request properly but when i send the Http Request for which i get BAD REQUEST or SERVICE UNAVAILABLE or something other than OK then i am unable to send the next request that is the channel future f.success() returned after calling channel.write(request) is false. I am unable to understand why it happens. I have followed the same model of coding as done in HttpSnoopClient example given in netty,
except i have removed the connection:close header & even the client handler is the same as that given in snoop client, also i have am instantiating the bootstrap only once at the starting
I tried getting channelFuture f.cause().getMessage() but it was null it seems

how to determine the size of a packet

Suppose I initiate a TCP connection for HTTP request and response. After the completion of three way handshaking process, I now send a request to the server for a HTTP packet with SYN flag set. The server responses to my request with ACK flag. Upon completion of the response, it will send me a FIN flag. Now how can I determine the size of the packet that the server send me during the request and response? Is there any process to do so?
Suppose I initiate a TCP connection for HTTP request and response. After the completion of three way handshaking process, I now send a request to the server for a HTTP packet with SYN flag set.
No you don't. The SYN was in the first packet sent in the three-way handshake. That's done. At best you will be piggy-backing the HTTP request on the final ACK packet of the connect handshake.
The server responses to my request with ACK flag.
No, the server responds to your HTTP request with an HTTP response. The ACK is irrelevant at the HTTP level.
Upon completion of the response, it will send me a FIN flag.
No it won't, unless you're speaking HTTP 1.0 or you have set the Connection: close header. Otherwise it will keep the connection open for HTTP keepalive.
Now how can I determine the size of the packet that the server send me during the request and response? Is there any process to do so?
The server didn't send you anything during the request. The size of the response body is given by the Content-length header or the sum of the chunked-encoding section sizes if that's used. You need to read the HTTP 1.1 RFC about this, it's non-trivial.
You also need to stop confusing HTTP with TCP. HTTP is an application protocol layered on top.

How HTTP Server inform its clients that the response has ended

I know that, the http clients sends 0x10 0x13 bytes to inform the http server that the request data has finished.
But how the server informs the http clients that the response data has finished? (it sends -1 i.e. <EOF> correct)?
No. HTTP Clients do not send CRLF to the server to indicate that the request is complete, and servers do not send a particular byte sequence to the client to indicate completion. You should read this document: http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4 to understand how clients and servers are able to determine when a request or response is complete. The short summary is that the Content-Length header, Chunked Transfer-encoding terminator, or TCP/IP connection closure are all used as signals.

Resources