[Openid-specs-ab] Session Management: Security Considerations
Andreas Åkre Solberg
andreas.solberg at uninett.no
Thu Sep 1 21:31:54 UTC 2011
On 1. sep.2011, at 23:12, John Bradley wrote:
> That is what the RP should use nonce to stop. If in the new session it creates a new nonce value, that won't match the nonce in the id_token.
Aha..!
Thanks, that solves it.
And yes, I think we agree that this needs to be mentioned in the session management document.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/0fde4490/attachment.html>
More information about the Openid-specs-ab
mailing list