5

I am writing the provider part of the OAuth protocol on the serverside and I'm cracking my ahead over how much of the nonces sent by OAuth consumers that I need to cache.

According to twitter's docs,

Twitter will only allow a nonce to be used once by your application. Prevents replayed requests.

The question: My implementation will just simply add each nonces received into memcached. But this will take up a lot of memory space. How much of the nonces should I ideally cache and for how long ?

Frankie Ribery
  • 11,933
  • 14
  • 50
  • 64

1 Answers1

7

Nonces only need to be unique for all requests using the same timestamp. You should deny requests with a timestamp older then 5 minutes so you only need to store nonces for 5 minutes.

https://www.rfc-editor.org/rfc/rfc5849#section-3.3

Community
  • 1
  • 1
abraham
  • 46,583
  • 10
  • 100
  • 152