On Thu, Jan 28, 2010 at 3:16 AM, John Bradley <[email protected]>wrote:
> The problem is that RP are not tying the received assertion to the browser > session the first time they receive the token. > > If you get the same token from the same browser session multiple times that > should not be a problem. > > If you get the token from a different browser session that is a problem and > it should be rejected. > > I don't think nonce processing in the spec is broken. Perhaps RP > implementations need to improve there handling of authentication tokens. > > eg set a cookie with the nonce from the last authentication so that if the > user hits the back button and resubmits you can detect it. > The broken scenario I started this thread with is about the RP receiving the assertion multiple times from the browser, but in such a way that the initial HTTP responses were discarded. So the RP setting a cookie in the HTTP response wouldn't help the scenario. But I think what you're suggesting would definitely help some of the problems around this.
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
