[dev] [commits] Horde branch master updated. 17c3c203f309f2d3170033708374d04eb77cb36b
Michael M Slusarz
slusarz at horde.org
Tue Nov 16 18:49:04 UTC 2010
Quoting Gunnar Wrobel <p at rdus.de>:
> Quoting Chuck Hagenbuch <chuck at horde.org>:
>
>> Quoting Gunnar Wrobel <p at rdus.de>:
>>
>>> The branch "master" has been updated.
>>> The following is a summary of the commits.
>>>
>>> from: a7078e12d5841ca7527e3b0ad59081b2a570cb56
>>>
>>> 19013c1 Initial Horde_Nonce skeleton.
>>> 17c3c20 Allow to create nonces.
>>
>> I generally know what a nonce is, but what's the intent here?
>
> Horde_Nonce should deliver light weight tokens soon. I have some
> more commits in a local branch but it will probably take some more
> time to finish it.
>
> The idea is to avoid storing nonces/tokens in the session. Currently
> Horde mainly uses timed tokens that are being remembered in the
> session on creation. As far as I can see it would be a reasonable
> alternative to sign a timestamp with a secret from the session and
> use the combination of both as a token. Validation of the token
> requires just the token and the secret from the session again. Time
> based expiration of the token only requires the token itself.
This sounds like a promising idea. Right now, we are tremendously
inefficient when it comes to storing tokens. For example, using Horde
for even a small period of time can result in 50+ form tokens being
hauled around needlessly in the session data. This was something I
was going to look into, and this solution would be a preferred way of
dealing with this problem.
michael
--
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the dev
mailing list