On 4/24/09 12:18 PM, Zachary Voase wrote: > But I think people are missing the idea that the consumer can just use > sessions and cookies to ensure that the browser which asked for the > request token is the same as the one which is authenticating it. > There's no need whatsoever for callback tokens, etc.
I think you're missing the fact that the attacker is the one using the consumer. The victim is just sent to SP to authorize the attacker's token with _the victim's_ identity, which then makes the attacker's session at the consumer access the victim's resources at the SP. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
