Check the server's reply upon successful authentication and validate it (just to make sure that no one is spoofing the server's reply). This will probably fail if qop=auth-int (code needs to be fixed).