This repository has been archived by the owner on Aug 28, 2023. It is now read-only.
Multiple nonce and state handling #171
Comments
|
Handling multiple nonce/state pairs means we can't remove them from session automatically, so we'll need an expiration policy and cleanup process to remove old nonce/state pairs from the session. |
|
@polita Correct. In Wilson, we have default nonce lifetime of 60 minutes. It's configurable. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Currently, we only save one value of nonce and state. This will not work in cases when user has multiple tabs open. Consider the scenario:
User opens the app in tab 1, clicks on login, gets redirected to AAD => this will set the session nonce
User open the app in tab 2, clicks on login, gets redirected to AAD => this will overwrite the nonce set int the step above
User logs in tab 1, the nonce validation will fail. This will return an error to the app that nonce did not match.
Also, we should delete the nonce only if it matches, otherwise not. We need to think about saving multiple nonces at a time.
Same applies for state.
The text was updated successfully, but these errors were encountered: