@robocoder opened this Issue on March 13th 2010 Contributor

getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking
@robocoder commented on March 15th 2010 Contributor

(In [1915]) refs #1202 - example of using nonce

@robocoder commented on March 15th 2010 Contributor

[1914] fixes #1202 - provide utility nonce functions for plugin framework

@robocoder commented on March 16th 2010 Contributor

(In [1919]) refs #1202 - add comments and tweak algorithm

This Issue was closed on March 16th 2010
Powered by GitHub Issue Mirror