Problem with nonces and HTTP GET
Andrew Arnott
andrewarnott at gmail.com
Thu Jan 28 14:11:46 UTC 2010
On Thu, Jan 28, 2010 at 3:16 AM, John Bradley <john.bradley at wingaa.com>wrote:
> The problem is that RP are not tying the received assertion to the browser
> session the first time they receive the token.
>
> If you get the same token from the same browser session multiple times that
> should not be a problem.
>
> If you get the token from a different browser session that is a problem and
> it should be rejected.
>
> I don't think nonce processing in the spec is broken. Perhaps RP
> implementations need to improve there handling of authentication tokens.
>
> eg set a cookie with the nonce from the last authentication so that if the
> user hits the back button and resubmits you can detect it.
>
The broken scenario I started this thread with is about the RP receiving the
assertion multiple times from the browser, but in such a way that the
initial HTTP responses were discarded. So the RP setting a cookie in the
HTTP response wouldn't help the scenario.
But I think what you're suggesting would definitely help some of the
problems around this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100128/699b188d/attachment.htm>
More information about the specs
mailing list