[Openid-specs-ab] Session - session_state in UTF-8?

Mike Jones Michael.Jones at microsoft.com
Tue Aug 19 00:03:45 UTC 2014

I’m not sure.  It would be good to hear from implementers.

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Monday, August 18, 2014 4:53 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Session - session_state in UTF-8?

Agreed. NQCHAR would be good.

Is it a good idea or am I just being overly anxious?


2014-08-19 8:43 GMT+09:00 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>:
If we’re going to do this, we should restrict it to the NQCHAR set from http://tools.ietf.org/html/rfc6749#appendix-A.1:

     NQCHAR     = %x21 / %x23-5B / %x5D-7E

(printable ASCII without double quote or backslash)

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Nat Sakimura
Sent: Monday, August 18, 2014 4:38 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Session - session_state in UTF-8?

One question. This just occurred to me when reading the proposed text on issue #915 ( https://bitbucket.org/openid/connect/issue/915/ ).

Do we want to restrict the repertoire allowed in the session_state string?
I am a bit concerned that bunch of unexpected consequences may happen when multi-bytes chars are used in it as it will be transmitted over the http param and usually is dealt with the middleware the software is using.
If we are sure that it would not, I am fine with it, but if we are not sure, it may be better to constrain the repertoire to ASCII etc. to be on the safe side.

Perhaps I should reopen issue #917 (https://bitbucket.org/openid/connect/issue/917) ?

Nat Sakimura (=nat)
Chairman, OpenID Foundation

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140819/dddcb8cd/attachment-0001.html>

More information about the Openid-specs-ab mailing list