Problem with nonces and HTTP GET

Andrew Arnott andrewarnott at gmail.com
Fri Jan 22 15:39:17 UTC 2010


HTTP GET is supposed to be completely effect-free on the server.  But nonces
in OpenID messages violate that aspect of the HTTP spec, since any
subsequent GET with the same positive assertion will (or should) fail.  I
speculate that some random login failures on
StackOverflow<http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583>may
be caused because a browser, an accelerator plugin, or a proxy
attempted
to repeat the assertion-carrying GET request (since that's supposed to be
safe), and a subsequent request is the one whose response is displayed in
the browser, failing user login.
<http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583>
POST is a better fit with the HTTP spec for how the message is actually
processed on the server.  I know lately we've been looking for ways to cram
more data into < 2KB payloads so we can get off POST and onto GET since the
user experience is better.  But I wonder if we can put our heads together
and figure out how to have our cake and eat it too with this nonce problem.
 This error doesn't come up often, but it can come up, apparently does come
up, and is a natural side-effect of the way OpenID communicates.

Any ideas?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100122/c8af7db5/attachment.htm>


More information about the specs mailing list