Issue Type: Bug Created: 2008-04-18T00:20:08.000+0000 Last Updated: 2008-09-02T10:39:29.000+0000 Status: Resolved Fix version(s): - 1.6.0 (02/Sep/08)
Reporter: Paul Huff (phuff) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId
Related issues: Attachments:
The isUniqueNonce function doesn't provide a way to pass in the IdP endpoint URL.
According to the spec, nonces shouldn't be unique overall, just by provider. In a high traffic environment it's possible that legitimate nonce collisions could occur, though it will only happen occasionally.
The spec says (11.3):
'To prevent replay attacks, the agent checking the signature keeps track of the nonce values included in positive assertions and never accepts the same value more than once for the same OP Endpoint URL.'
The Zend_OpenId_Consumer_Storage interface needs to be altered to allow for unique nonces by endpoint provider, and the verify function in the consumer should start passing in the endpoint provider.
Posted by Paul Huff (phuff) on 2008-04-18T00:20:38.000+0000
We don't have a fix for this one, because I was afraid to alter the interface without checking in.
Posted by Darby Felton (darby) on 2008-04-21T13:47:46.000+0000
Marking as fixed for next minor release pending merge of changes to release-1.5 branch.
Posted by Wil Sinclair (wil) on 2008-09-02T10:39:29.000+0000
Updating for the 1.6.0 release.
Have you found an issue?
See the Overview section for more details.