On Sun, Apr 26, 2009 at 6:29 PM, Peter Keane <pjke...@gmail.com> wrote: >> b) that's what the unpredictable callback token is for. > > Does that demonstrate it is the same user? I believe it makes it > highly likely, but not "verifyable" (in standard authentication terms. > Nothing is 100% verifyable).
The request token provides linkage from the consumer to the service provider. The callback token provides linkage in the opposite direction. If the consumer proves possession of a matching request token and callback token, that's excellent evidence that no session fixation attack is occurring. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---