auth_digest_expires does not seem to work

Question

auth_digest_expires does not seem to work

Opened this issue 2 years ago · 1 comments

I am using nginx 1.21.3 and installed it from source compiling it with this module.

The authentication works in that it asks the user for username and password. But I do not see the expiry happening. I am able to access the website without login a long time after. I am using these settings.

                auth_digest_timeout 60s; # allow users to wait 1 minute between receiving the
                                         # challenge and hitting send in the browser dialog box
                auth_digest_expires 10s; # after a successful challenge/response, let the client
                                         # continue to use the same nonce for additional requests
                                         # for 10 seconds before generating a new challenge
                auth_digest_replays 2;   # also generate a new challenge if the client uses the
                                         # same nonce more than 20 times before the expire time limit

Answer 1 · 2022-05-01T20:02:28.000Z

Did you check the headers being sent? It's probably your browser caching the password and automatically authenticating again.