>    That was my first thought as well, but in that case, I would expect
> the request failures to be randomly distributed and relatively
> infrequent. In this case it fails every time (tested over a period of 6
> hours yesterday). I've also not encountered this issue with any of the
> other OAuth profiders we use: Google, Yahoo or LinkedIn. In the case of
> Twitter, every request  using the standard user facing auth dance
> succeeds as well. That said, I can certainly introduce an additional
> factor to enhance the uniqueness of generated nonce values to test this
> further.

Why not just incorporate the current time into your random nonce? That's
the easiest way. If you are already doing that, the only thing I can
suggest is either using higher resolution timers or more bits of entropy.

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- /etc/motd: /earth is 98% full. please delete anyone you can. ---------------

Reply via email to