[Openid-specs-ab] Session - session_state in UTF-8?

Nat Sakimura sakimura at gmail.com
Mon Aug 18 23:52:42 UTC 2014


Agreed. NQCHAR would be good.

Is it a good idea or am I just being overly anxious?

Nat


2014-08-19 8:43 GMT+09:00 Mike Jones <Michael.Jones at microsoft.com>:

>  If we’re going to do this, we should restrict it to the NQCHAR set from
> http://tools.ietf.org/html/rfc6749#appendix-A.1:
>
>
>
>      NQCHAR     = %x21 / %x23-5B / %x5D-7E
>
>
>
> (printable ASCII without double quote or backslash)
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Monday, August 18, 2014 4:38 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] Session - session_state in UTF-8?
>
>
>
> One question. This just occurred to me when reading the proposed text on
> issue #915 ( https://bitbucket.org/openid/connect/issue/915/ ).
>
>
>
> Do we want to restrict the repertoire allowed in the session_state string?
>
> I am a bit concerned that bunch of unexpected consequences may happen when
> multi-bytes chars are used in it as it will be transmitted over the http
> param and usually is dealt with the middleware the software is using.
>
> If we are sure that it would not, I am fine with it, but if we are not
> sure, it may be better to constrain the repertoire to ASCII etc. to be on
> the safe side.
>
>
>
> Perhaps I should reopen issue #917 (
> https://bitbucket.org/openid/connect/issue/917) ?
>
>
>
> --
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140819/345278d1/attachment.html>


More information about the Openid-specs-ab mailing list