[Openid-specs-ab] Session - session_state in UTF-8?

Mike Jones Michael.Jones at microsoft.com
Mon Aug 18 23:43:23 UTC 2014

If we’re going to do this, we should restrict it to the NQCHAR set from http://tools.ietf.org/html/rfc6749#appendix-A.1:

     NQCHAR     = %x21 / %x23-5B / %x5D-7E

(printable ASCII without double quote or backslash)

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Monday, August 18, 2014 4:38 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Session - session_state in UTF-8?

One question. This just occurred to me when reading the proposed text on issue #915 ( https://bitbucket.org/openid/connect/issue/915/ ).

Do we want to restrict the repertoire allowed in the session_state string?
I am a bit concerned that bunch of unexpected consequences may happen when multi-bytes chars are used in it as it will be transmitted over the http param and usually is dealt with the middleware the software is using.
If we are sure that it would not, I am fine with it, but if we are not sure, it may be better to constrain the repertoire to ASCII etc. to be on the safe side.

Perhaps I should reopen issue #917 (https://bitbucket.org/openid/connect/issue/917) ?

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140818/5269c366/attachment-0001.html>

More information about the Openid-specs-ab mailing list