[symfony#3134] Trying to clarify the purpose of the nonce logic

weaverryan · weaverryan · commit 6833c3026dc2 · 2013-11-16T14:51:09.000-06:00
diff --git a/cookbook/security/custom_authentication_provider.rst b/cookbook/security/custom_authentication_provider.rst
@@ -227,6 +227,12 @@ the ``PasswordDigest`` header value matches with the user's password.
             throw new AuthenticationException('The WSSE authentication failed.');
         }
 
+        /**
+         * This function is specific to Wsse authentication and is only used to help this example
+         *
+         * For more information specific to the logic here, see
+         * https://github.com/symfony/symfony-docs/pull/3134#issuecomment-27699129
+         */
         protected function validateDigest($digest, $nonce, $created, $secret)
         {
             // Check created time is not in the future
@@ -239,7 +245,8 @@ the ``PasswordDigest`` header value matches with the user's password.
                 return false;
             }
 
-            // Validate nonce is unique within 5 minutes
+            // Validate that the nonce is *not* used in the last 5 minutes
+            // if it has, this could be a replay attack
             if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
                 throw new NonceExpiredException('Previously used nonce detected');
             }

Original file line number	Diff line number	Diff line change
@@ -227,6 +227,12 @@ the ``PasswordDigest`` header value matches with the user's password.
`227`	`227`	`throw new AuthenticationException('The WSSE authentication failed.');`
`228`	`228`	`}`
`229`	`229`
	`230`	`+ /**`
	`231`	`+ * This function is specific to Wsse authentication and is only used to help this example`
	`232`	`+ *`
	`233`	`+ * For more information specific to the logic here, see`
	`234`	`+ * https://github.com/symfony/symfony-docs/pull/3134#issuecomment-27699129`
	`235`	`+ */`
`230`	`236`	`protected function validateDigest($digest, $nonce, $created, $secret)`
`231`	`237`	`{`
`232`	`238`	`// Check created time is not in the future`
@@ -239,7 +245,8 @@ the ``PasswordDigest`` header value matches with the user's password.
`239`	`245`	`return false;`
`240`	`246`	`}`
`241`	`247`
`242`		`- // Validate nonce is unique within 5 minutes`
	`248`	`+ // Validate that the nonce is not used in the last 5 minutes`
	`249`	`+ // if it has, this could be a replay attack`
`243`	`250`	`if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {`
`244`	`251`	`throw new NonceExpiredException('Previously used nonce detected');`
`245`	`252`	`}`