Problem with nonces and HTTP GET
Andrew Arnott
andrewarnott at gmail.com
Thu Jan 28 00:40:40 UTC 2010
Absolutely. In fact, if part of a solution to any problem is to get all
parties on SSL, then nonces can just go away -- am I right?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Wed, Jan 27, 2010 at 4:38 PM, Breno de Medeiros <breno at google.com> wrote:
> > And I'm not trying to be a nit-picky HTTP purist here. I'm talking about
> > real-world problems from browsers, plugins, and/or proxies that believe
> GETs
> > are actually side-effect free, that are causing logins to fail.
>
> Yep, unfortunately the user experience in POST requests is suboptimal,
> so nobody is excited to move this direction.
>
> If the lack of effect-freeness is being manifested mostly in nonce
> verification failures, then we could have a discussion around that
> that might lead us somewhere.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100127/5a2f433c/attachment.htm>
More information about the specs
mailing list