PeterOrneholm
commented
2 years ago I've given this some thought. The ITimeLimitedDataProtector does no magic, but simply adds expiration date to the encrypted payload and then verifes that once decrypted.
As we use ISecureDataFormat, which does not support ITimeLimitedDataProtector , we would not be able to use that feature built in but instead it should be quite simple to wrap the encrypted payload ourselves.
Is your feature request related to a problem? Please describe. We are using the Data Protection functionality in ASP.NET to store temporary state that can safely be round tripped to the client (using cookies or URL). I recently learned about ITimeLimitedDataProtector that adds an extra level of security by making sure that the data protected can't/should not be unprotected after a given point in time.
What area is it related to BankID
Describe the solution you'd like We should use this functionality and limit the time that the data can be unprotected.
These protectors should use it:
BankIdLoginOptionsProtector(Suggestion: ~15 minutes, more then enough to perform login on)BankIdLoginResultProtector(Suggestion: 30 seconds, only needed for a client roundtrip)BankIdOrderRefProtector(Suggestion: 15 minutes, more then enough to perform login on)