diff options
| -rw-r--r-- | Auth/OpenID/Consumer.php | 15 | ||||
| -rw-r--r-- | Auth/OpenID/DumbStore.php | 7 |
2 files changed, 4 insertions, 18 deletions
diff --git a/Auth/OpenID/Consumer.php b/Auth/OpenID/Consumer.php index dea5326..a7759ab 100644 --- a/Auth/OpenID/Consumer.php +++ b/Auth/OpenID/Consumer.php @@ -213,13 +213,6 @@ define('Auth_OpenID_DEFAULT_NONCE_CHRS',"abcdefghijklmnopqrstuvwxyz" . "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"); /** - * This is the number of seconds the tokens generated by this library - * will be valid for. If you want to change the lifetime of a token, - * set this value to the desired lifespan, in seconds. - */ -define('Auth_OpenID_DEFAULT_TOKEN_LIFETIME', 60 * 5); // five minutes - -/** * An OpenID consumer implementation that performs discovery and does * session management. See the Consumer.php file documentation for * more information. @@ -253,10 +246,7 @@ class Auth_OpenID_Consumer { * filesystem-backed store, see the {@link Auth_OpenID_FileStore} * module. As a last resort, if it isn't possible for the server * to store state at all, an instance of {@link - * Auth_OpenID_DumbStore} can be used. This should be an absolute - * last resort, though, as it makes the consumer vulnerable to - * replay attacks over the lifespan of the tokens the library - * creates. + * Auth_OpenID_DumbStore} can be used. * * @param mixed session An object which implements the interface * of the Services_Yadis_Session class. Particularly, this object @@ -440,9 +430,6 @@ class Auth_OpenID_GenericConsumer { * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. * As a last resort, if it isn't possible for the server to store * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. - * This should be an absolute last resort, though, as it makes the - * consumer vulnerable to replay attacks over the lifespan of the - * tokens the library creates. * * @param bool $immediate This is an optional boolean value. It * controls whether the library uses immediate mode, as explained diff --git a/Auth/OpenID/DumbStore.php b/Auth/OpenID/DumbStore.php index b4216ab..d4d8a8b 100644 --- a/Auth/OpenID/DumbStore.php +++ b/Auth/OpenID/DumbStore.php @@ -23,9 +23,8 @@ require_once 'Auth/OpenID/HMACSHA1.php'; /** * This is a store for use in the worst case, when you have no way of * saving state on the consumer site. Using this store makes the - * consumer vulnerable to replay attacks (though only within the - * lifespan of the tokens), as it's unable to use nonces. Avoid using - * this store if it is at all possible. + * consumer vulnerable to replay attacks, as it's unable to use + * nonces. Avoid using this store if it is at all possible. * * Most of the methods of this class are implementation details. * Users of this class need to worry only about the constructor. @@ -89,7 +88,7 @@ class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { /** * In a system truly limited to dumb mode, nonces must all be * accepted. This therefore always returns true, which makes - * replay attacks feasible during the lifespan of the token. + * replay attacks feasible. */ function useNonce($nonce) { |