[Openid-specs-ab] Session - session_state in UTF-8?

Nat Sakimura sakimura at gmail.com
Mon Aug 18 23:37:30 UTC 2014

One question. This just occurred to me when reading the proposed text on
issue #915 ( https://bitbucket.org/openid/connect/issue/915/ ).

Do we want to restrict the repertoire allowed in the session_state string?
I am a bit concerned that bunch of unexpected consequences may happen when
multi-bytes chars are used in it as it will be transmitted over the http
param and usually is dealt with the middleware the software is using.
If we are sure that it would not, I am fine with it, but if we are not
sure, it may be better to constrain the repertoire to ASCII etc. to be on
the safe side.

Perhaps I should reopen issue #917 (
https://bitbucket.org/openid/connect/issue/917) ?

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140819/6eae2aba/attachment.html>

More information about the Openid-specs-ab mailing list