An API client of ours was implementing an HTTP client for our web service and in helping them get it right they finally succeeded in correctly constructing the signature, but the HTTP_DATE was a day in the future and the request authenticated successfully.
This raised the question of whether or not a more thorough invalid date check is needed.
Should the authentic? method check that a request is both not too old and not too new? Perhaps neither more than 15 minutes in the past and future?
An API client of ours was implementing an HTTP client for our web service and in helping them get it right they finally succeeded in correctly constructing the signature, but the
HTTP_DATE
was a day in the future and the request authenticated successfully.This raised the question of whether or not a more thorough invalid date check is needed.
Should the
authentic?
method check that a request is both not too old and not too new? Perhaps neither more than 15 minutes in the past and future?