<div class="gmail_quote">On Thu, Jan 28, 2010 at 3:16 AM, John Bradley <span dir="ltr"><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word"><div>The problem is that RP are not tying the received assertion to the browser session the first time they receive the token.</div><div><br></div><div>If you get the same token from the same browser session multiple times that should not be a problem.</div>
<div><br></div><div>If you get the token from a different browser session that is a problem and it should be rejected.</div><div><br></div><div>I don't think nonce processing in the spec is broken. Perhaps RP implementations need to improve there handling of authentication tokens.</div>
<div><br></div><div>eg set a cookie with the nonce from the last authentication so that if the user hits the back button and resubmits you can detect it.</div></div></blockquote><div><br></div><div>The broken scenario I started this thread with is about the RP receiving the assertion multiple times from the browser, but in such a way that the initial HTTP responses were discarded. So the RP setting a cookie in the HTTP response wouldn't help the scenario.</div>
<div><br></div><div>But I think what you're suggesting would definitely help some of the problems around this.</div></div>