It is possible that server returns less than 32 bytes for nonce in CreateSessionResponse (or ActivateSessionResponse). The specification requires them to always return 32 bytes or more, although in practice we may allow this to be ignored for non-secure & anonymous sessions.
The client should validate the nonce length and throw an exception at ActivateSession if the nonce provided by the server was not valid.
It is possible that server returns less than 32 bytes for nonce in CreateSessionResponse (or ActivateSessionResponse). The specification requires them to always return 32 bytes or more, although in practice we may allow this to be ignored for non-secure & anonymous sessions.
The client should validate the nonce length and throw an exception at ActivateSession if the nonce provided by the server was not valid.