Zhihong, Our consumers are our applications (binaries) running on mobile devices. HTTP header suggestion seems to be a good idea.
Manish, True, your concern gave me an idea to enforce TS+Nonce checking for CRUD operation calls only and not for simple fetch calls. Thanks folks, Monis On Jul 6, 10:55 am, Manish Pandit <[email protected]> wrote: > On Jul 4, 3:10 pm, Monis <[email protected]> wrote: > > > Any suggestions? > > As a provider implementor, I found the timestamp-nonce verification a > little heavy on the database side (using multiple VMs with no sticky > sessions, so in-memory caching is not an option). From a database > standpoint, it would mean storing the TS+nonce for the +/- time window > in the db, regular cleanup which gets more and more high-maintenance > with heavy transactional volumes. I'd think setting up the window to > +/- 3 minutes should help mitigate reply attacks, however this will > most certainly guarantee protection. The only thing that can protect > is persisting the ts-nonce tuple either in-memory on in-database. > You'd have to consider if adding this extra baggage is worth it based > on the application and its audience IMO. > > -cheers, > Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
