On Jul 4, 3:10 pm, Monis <[email protected]> wrote: > Any suggestions? >
As a provider implementor, I found the timestamp-nonce verification a little heavy on the database side (using multiple VMs with no sticky sessions, so in-memory caching is not an option). From a database standpoint, it would mean storing the TS+nonce for the +/- time window in the db, regular cleanup which gets more and more high-maintenance with heavy transactional volumes. I'd think setting up the window to +/- 3 minutes should help mitigate reply attacks, however this will most certainly guarantee protection. The only thing that can protect is persisting the ts-nonce tuple either in-memory on in-database. You'd have to consider if adding this extra baggage is worth it based on the application and its audience IMO. -cheers, Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
