Gracefully handle use of stale time-based token values

[GoogleCodeExporter]

1. Say max-offset is 10.
2. A user uses a stale token value that is 10 sequence numbers out of date.
3. The users file will have a -10 recorded for the sequence offset.
4. User uses another stale token value that is -15 stale - allowed because this 
is within the window [-20, 0] (having radius max-offset = 10).
5. Users file now has -15 recorded for the sequence offset.
6. User is no longer able to login with a current token value, because zero is 
not inside the window [-25, -5] (having radius max-offset = 10).

To more gracefully handle this scenario, suggest the following: When checking 
time-based tokens for users having a negative sequence offset, accept token 
values having any offset between the user's negative sequence offset and zero. 
So in the above example, we'd use [-25, 0] instead of [-25, -5] as the 
acceptable window. This allows users who have used stale time-based token 
values to "catch back up".

Original issue reported on code.google.com by archie.c...@gmail.com on 25 May 2011 at 1:09

[GoogleCodeExporter]

Fixed in r100.

Original comment by archie.c...@gmail.com on 10 Jun 2011 at 3:07

• Changed state: Fixed