| Subject: | This is a great basic class if... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 1 |
|---|
| Author: | Michael B |
|---|
| Date: | 2009-06-04 14:05:41 |
|---|
| |
|
|
Michael B rated this package as follows:
| Utility: | Sufficient |
|---|
| Consistency: | Good |
|---|
| Examples: | Sufficient |
|---|
|
|
 Michael B - 2009-06-04 14:05:41 This is a great basic class if you're trying to understand how OpenID works (and it helped me), but there is a slight security problem in the validateWithServer function.
Basically, you're not supposed to send multiple requests to the server with the same NONCE value because someone else may have intercepted the plaintext authentication response from the OpenID Provider. The OpenID Provider (OP) is also not supposed to verify as true more than one request with the same NONCE value, but sometimes they do (currently Google and Yahoo both respond is_valid: true for identical NONCE variables.
It is probably out of the scope of the class, but generally you're supposed to store the NONCE values for a small period of time (file or database) and compare against new requests, returning FALSE if you detect a duplicate NONCE value.
|
