@robocoder opened this issue on March 13th 2010

getNonce(), verifyNonce() - use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries - a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value) - a more robust defense should incorporate referrer checking

@robocoder commented on March 15th 2010

(In [1915]) refs #1202 - example of using nonce

@robocoder commented on March 15th 2010

[1914] fixes #1202 - provide utility nonce functions for plugin framework

@robocoder commented on March 16th 2010

(In [1919]) refs #1202 - add comments and tweak algorithm

This issue was closed on March 16th 2010
Powered by GitHub Issue Mirror