Mitigates timing attack on random number generator.

author: Andrew Arnott <andrewarnott@gmail.com> 2012-12-25 16:56:08 -0800
committer: Andrew Arnott <andrewarnott@gmail.com> 2012-12-25 16:56:08 -0800
commit: 6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f (patch)
tree: 1790227bd2f6377b8403b2b628fe26e30597bb91 /src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs
parent: e95fd9bcd6dbfd4f40056847dde54f600d7144a1 (diff)
download: DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.zip
DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.tar.gz
DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs b/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs
index 4fc8687..1fdd372 100644
--- a/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs
+++ b/src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs
@@ -113,7 +113,7 @@ namespace DotNetOpenAuth.OAuth2 {
 			if (this.AuthorizationTracker == null) {
 				var context = this.Channel.GetHttpContext();
 
-				string xsrfKey = (new Random()).Next().ToString(CultureInfo.InvariantCulture);
+				string xsrfKey = MessagingUtilities.GetNonCryptoRandomDataAsBase64(16);
 				cookie = new HttpCookie(XsrfCookieName, xsrfKey) {
 					HttpOnly = true,
 					Secure = FormsAuthentication.RequireSSL,
author	Andrew Arnott <andrewarnott@gmail.com>	2012-12-25 16:56:08 -0800
committer	Andrew Arnott <andrewarnott@gmail.com>	2012-12-25 16:56:08 -0800
commit	6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f (patch)
tree	1790227bd2f6377b8403b2b628fe26e30597bb91 /src/DotNetOpenAuth.OAuth2.Client/OAuth2/WebServerClient.cs
parent	e95fd9bcd6dbfd4f40056847dde54f600d7144a1 (diff)
download	DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.zip DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.tar.gz DotNetOpenAuth-6e348d7ac6fa26f9d1398dd7d2fcf71a5506c69f.tar.bz2