[OpenID] Nonces generated by the server?
Andrew Arnott
andrewarnott at gmail.com
Tue Mar 31 22:15:07 UTC 2009
>
> I'm also somewhat curious about how many OpenID consumers actually do nonce
> checking. Net::OpenID::Consumer for Perl actually ignores the nonce
> altogether and implements its own timestamp checking due to legacy code for
> OpenID 1.1, and seems to be vulnerable to replay for up to 30 seconds after
> a positive assertion.
>
The author of the Perl library ought to be ashamed. This kind of thing
reduces my confidence in using OpenID at any site other than one that I
wrote the library for myself.
Although this is what OSIS testing is all about. Hopefully there is a test
to catch RPs and OPs that don't check the nonce for replays.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090331/8d49fa9b/attachment-0002.htm>
More information about the general
mailing list