turn icon indicating copy to clipboard operation
turn copied to clipboard

Published 20 hours ago verified publisher icon pion

Detect stale nonces

Open Sean-Der opened this issue 5 years ago • 1 comments

Update buildNonce and authenticateRequest to generate and check the times on those.

Sean-Der avatar Sep 27 '20 05:09 Sean-Der

That's debatable.

RFC 8489 merely says "See Section 5.4 of [RFC7616] for guidelines.", while RFC 7616 says

   the server is
   free to construct the nonce such that it MAY only be used from a
   particular client, for a particular resource, for a limited period of
   time or number of uses, or any other restrictions.  Doing so
   strengthens the protection provided against, for example, replay
   attacks (see Section 5.5).  However, it should be noted that the
   method chosen for generating and checking the nonce also has
   performance and resource implications.

jech avatar Jan 27 '21 00:01 jech