Problem with nonces and HTTP GET
John Bradley
john.bradley at wingaa.com
Thu Jan 28 01:22:55 UTC 2010
I think it has been increased. It would probably be a boon to the internet if all versions of IE prior to 8 are deprecated.
However I have a hart time seeing websites turning people away due to old browsers.
It is possible for a IdP to detect the browser and use GET up to 4K + if it is safe.
That won't solve the problem that nonces do what they are supposed to and prevent token resubmission.
John B.
On 2010-01-27, at 10:12 PM, Henrik Biering wrote:
>
> John Bradley wrote:
>>
>> The other alternative is to ban IE because it is the source of the 2K limit for GET.
>> Not a problem for FF or other browsers.
> Although I cannot find any official documentation, it seems that the traditional 2K limit for IE GET requests has been increased significantly in IE8
>
> =henrik
More information about the specs
mailing list