diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-03-05 21:21:38 -0800 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-03-05 21:21:38 -0800 |
| commit | fea8a2fe29087b8386167ab490b80bf5f10519f6 (patch) | |
| tree | 0c9858344648915d4c72317fe96d867ed58d3d8f /samples/OpenIdProviderWebForms/Code/CustomStore.cs | |
| parent | 27d5edadafd755b47ab88dd1c28dfeccc81cf3f4 (diff) | |
| download | DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.zip DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.tar.gz DotNetOpenAuth-fea8a2fe29087b8386167ab490b80bf5f10519f6.tar.bz2 | |
response_nonces are now checked for replays by the RP against just those nonces generated by the same Provider.
Fixes Google Code Issue 175.
Diffstat (limited to 'samples/OpenIdProviderWebForms/Code/CustomStore.cs')
| -rw-r--r-- | samples/OpenIdProviderWebForms/Code/CustomStore.cs | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/samples/OpenIdProviderWebForms/Code/CustomStore.cs b/samples/OpenIdProviderWebForms/Code/CustomStore.cs index b716e8d..d8181fe 100644 --- a/samples/OpenIdProviderWebForms/Code/CustomStore.cs +++ b/samples/OpenIdProviderWebForms/Code/CustomStore.cs @@ -79,6 +79,10 @@ namespace OpenIdProviderWebForms.Code { /// <summary> /// Stores a given nonce and timestamp. /// </summary> + /// <param name="context">The context, or namespace, within which the + /// <paramref name="nonce"/> must be unique. + /// The context SHOULD be treated as case-sensitive. + /// The value will never be <c>null</c> but may be the empty string.</param> /// <param name="nonce">A series of random characters.</param> /// <param name="timestamp">The timestamp that together with the nonce string make it unique. /// The timestamp may also be used by the data store to clear out old nonces.</param> @@ -93,7 +97,7 @@ namespace OpenIdProviderWebForms.Code { /// is retrieved or set using the /// <see cref="StandardExpirationBindingElement.MaximumMessageAge"/> property. /// </remarks> - public bool StoreNonce(string nonce, DateTime timestamp) { + public bool StoreNonce(string context, string nonce, DateTime timestamp) { // IMPORTANT: If actually persisting to a database that can be reached from // different servers/instances of this class at once, it is vitally important // to protect against race condition attacks by one or more of these: @@ -106,12 +110,12 @@ namespace OpenIdProviderWebForms.Code { // and display some message to have the user try to log in again, and possibly // warn them about a replay attack. lock (this) { - if (dataSet.Nonce.FindByCode(nonce) != null) { + if (dataSet.Nonce.FindByCodeContext(nonce, context) != null) { return false; } TimeSpan maxMessageAge = DotNetOpenAuth.Configuration.DotNetOpenAuthSection.Configuration.Messaging.MaximumMessageLifetime; - dataSet.Nonce.AddNonceRow(nonce, timestamp.ToLocalTime(), (timestamp + maxMessageAge).ToLocalTime()); + dataSet.Nonce.AddNonceRow(context, nonce, timestamp.ToLocalTime(), (timestamp + maxMessageAge).ToLocalTime()); return true; } } |