jbufu / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
98 stars 58 forks source link

org.openid4java.server.IncrementalNonceGenerator is not cluster-safe #206

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
In case there are several OpenID providers in a cluster (e.g. using the 
JdbcServerAssociationStore), the default IncrementalNonceGenerator can lead to 
having the same openid.response_nonce for different requests. Additional 
entropy is needed to prevent such a situation.
See attached file for a fix.

Original issue reported on code.google.com by cedrik.l...@gmail.com on 19 Dec 2013 at 1:47

Attachments: