> That was my first thought as well, but in that case, I would expect > the request failures to be randomly distributed and relatively > infrequent. In this case it fails every time (tested over a period of 6 > hours yesterday). I've also not encountered this issue with any of the > other OAuth profiders we use: Google, Yahoo or LinkedIn. In the case of > Twitter, every request using the standard user facing auth dance > succeeds as well. That said, I can certainly introduce an additional > factor to enhance the uniqueness of generated nonce values to test this > further.
Why not just incorporate the current time into your random nonce? That's the easiest way. If you are already doing that, the only thing I can suggest is either using higher resolution timers or more bits of entropy. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * [email protected] -- /etc/motd: /earth is 98% full. please delete anyone you can. ---------------
