WebApiHMACAuthentication icon indicating copy to clipboard operation
WebApiHMACAuthentication copied to clipboard

Published 20 hours ago verified publisher icon tjoudeh

Update HMACAuthenticationAttribute.cs

Open vhatuncev opened this issue 9 years ago • 3 comments

var serverClock = TimeSpan.FromTicks(DateTime.UtcNow.Ticks); var requestClock = TimeSpan.FromTicks(DateTime.UtcNow.AddSeconds(1).Ticks);

var serverTime = Convert.ToUInt64(serverClock.TotalSeconds); var requestTime = Convert.ToUInt64(requestClock.TotalSeconds);

Console.WriteLine(serverTime - requestTime);

vhatuncev avatar Feb 16 '16 20:02 vhatuncev

need additional check for requestTotalSeconds variable for example if requestTotalSeconds more on one second(because request host has different time), result of statement serverTotalSeconds - requestTotalSeconds will be very big value and not negative as expected so all request will treated as reply attack and rejected check code in comment for this file. suggestion is - convert to signed integer, so even if request local time will be far away from server time it will

vhatuncev avatar Mar 26 '16 21:03 vhatuncev

I ran into the same issue, but used Math.Abs((Int64)(serverTotalSeconds - requestTotalSeconds)) > requestMaxAgeInSeconds I used Abs because I wanted to discourage clients with clocks that are way out of sync from calling my apis.

saipuli avatar Dec 20 '16 21:12 saipuli

Well, it can save you, but not more then requestMaxAgeInSeconds, if clients out of sync for hours you still get the error. Another thing, it saves you only if clients have local time in future, relatively from server, if client clocks will be in the past, relatively from server, it won't help.

vhatuncev avatar Dec 21 '16 12:12 vhatuncev