On Tue, May 5, 2009 at 9:34 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: > I would prefer to fix OAuth security issue 2009-1 without unnecessarily > preventing > state-management options that previously worked, and without requiring > cookies where > they were not previously necessary.
I'm pretty sure that any client that encodes all state in the callback URL is still vulnerable to session fixation. You mentioned using referer or origin HTTP headers to prevent XSRF of the callback URL, but those don't actually work to prevent the session fixation attack. (Referer and Origin will always point to the SP.) (Nit: the protocol doesn't actually require cookies. Other types of client-side state (javascript variables for web browsers, disk or memory storage for installed apps) are perfectly viable.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---