Problem with nonces and HTTP GET

Breno de Medeiros breno at google.com
Thu Jan 28 00:38:49 UTC 2010


> And I'm not trying to be a nit-picky HTTP purist here.  I'm talking about
> real-world problems from browsers, plugins, and/or proxies that believe GETs
> are actually side-effect free, that are causing logins to fail.

Yep, unfortunately the user experience in POST requests is suboptimal,
so nobody is excited to move this direction.

If the lack of effect-freeness is being manifested mostly in nonce
verification failures, then we could have a discussion around that
that might lead us somewhere.


More information about the specs mailing list