Invalidate credentials if the server rejects them.

net/http/http_auth_handler_digest.cc

Index: net/http/http_auth_handler_digest.cc
diff --git a/net/http/http_auth_handler_digest.cc b/net/http/http_auth_handler_digest.cc
index e8cb819cef70ec390e5aebc5a3fefd7187d9eeb9..28d2f58aa9bcc1fe147b315082be28b031b4784d 100644
--- a/net/http/http_auth_handler_digest.cc
+++ b/net/http/http_auth_handler_digest.cc
@@ -114,16 +114,21 @@ HttpAuth::AuthorizationResult HttpAuthHandlerDigest::HandleAnotherChallenge(
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 
   HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
+  std::string realm;
 
-  // Try to find the "stale" value.
+  // Try to find the "stale" value, and also keep track of the realm
+  // for the new challenge.
   while (parameters.GetNext()) {
-    if (!LowerCaseEqualsASCII(parameters.name(), "stale"))
-      continue;
-    if (LowerCaseEqualsASCII(parameters.value(), "true"))
-      return HttpAuth::AUTHORIZATION_RESULT_STALE;
+    if (LowerCaseEqualsASCII(parameters.name(), "stale")) {
+      if (LowerCaseEqualsASCII(parameters.value(), "true"))
+        return HttpAuth::AUTHORIZATION_RESULT_STALE;

[wtc, 2011/02/22 23:17:32]

IMPORTANT: what if the new challenge has both stale=true
and a different realm?  Can that happen?

[cbentzel, 2011/02/23 14:49:54]

It could happen, but it seems unexpected. It seems like it would indicate that
the specified realm has stale credentials - not the one that we previously
issued a challenge for. I'll see if the RFC or httpbis mentions this corner
case.

[asanka, 2011/02/23 18:06:40]

RFC 2617 states that the 'stale' value should only be set to 'true' if the
server "receives a request for which the nonce is invalid but with a valid
digest for that nonce (indicating that the client knows the correct
username/password)," and that the client "may wish to simply retry the request
with a new encrypted response, without reprompting the user for a new username
and password."

Based on that, I think giving precedence to the "stale=true" case and
disregarding a change in the realm is reasonable behavior.

+    } else if (LowerCaseEqualsASCII(parameters.name(), "realm")) {
+      realm = parameters.value();
+    }
   }
-
-  return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+  return (realm_ != realm) ?
+      HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM :
+      HttpAuth::AUTHORIZATION_RESULT_REJECT;
 }
 
 bool HttpAuthHandlerDigest::Init(HttpAuth::ChallengeTokenizer* challenge) {