Zend Framework

Nonces should be unique by Identity Provider.

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.6.0
  • Component/s: Zend_OpenId
  • Labels:
    None

Description

The isUniqueNonce function doesn't provide a way to pass in the IdP endpoint URL.

According to the spec, nonces shouldn't be unique overall, just by provider. In a high traffic environment it's possible that legitimate nonce collisions could occur, though it will only happen occasionally.

The spec says (11.3):

'To prevent replay attacks, the agent checking the signature keeps track of the nonce values included in positive assertions and never accepts the same value more than once for the same OP Endpoint URL.'

The Zend_OpenId_Consumer_Storage interface needs to be altered to allow for unique nonces by endpoint provider, and the verify function in the consumer should start passing in the endpoint provider.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Paul Huff added a comment -

We don't have a fix for this one, because I was afraid to alter the interface without checking in.

Show
Paul Huff added a comment - We don't have a fix for this one, because I was afraid to alter the interface without checking in.
Hide
Permalink
Darby Felton added a comment -

Marking as fixed for next minor release pending merge of changes to release-1.5 branch.

Show
Darby Felton added a comment - Marking as fixed for next minor release pending merge of changes to release-1.5 branch.
Hide
Permalink
Wil Sinclair added a comment -

Updating for the 1.6.0 release.

Show
Wil Sinclair added a comment - Updating for the 1.6.0 release.

People

Vote (0)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.