Nonce and Timestamp compliance


#1

How strict is the Twitter API when it comes to OAuth Nonce and Timestamp? The resolution for timestamps is in seconds. This means that several calls to the API can happen for the same timestamp when the traffic is high.

Here is what the specification says: “The Consumer SHALL then generate a Nonce value that is unique for all requests with that timestamp. A nonce is a random string, uniquely generated for each request. The nonce allows the Service Provider to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel (such as HTTP).” – http://oauth.net/core/1.0/#nonce

What does unique for all requests with the same timestamp mean? If it means that the Nonce value should remain the same, then that contradicts the second statement about how each nonce shall be uniquely generated for each request.

As I have implemented it now I generate a unique Nonce value for each request regardless of what the timestamp is. Is that the correct or recommended approach?


#2

Don’t worry too much about the absolute uniqueness of your OAuth nonce. This area of the specification is untenable at Twitter scale. If you have two requests issued at exactly the same time with the exact same timestamp and nonce, you’d want to avoid that scenario; but aside from that just make a reasonable effort at uniqueness; don’t bend over backwards for it.


#3

Ok, thanks. Good. Then I can keep the uniqueness approach.


#4

header(“Expires: Mon, 26 Jul 1997 05:00:00 GMT”);
header(“Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0”);
header(“Pragma: no-cache”);
header(“Last-Modified:”.gmdate(“D, d M Y H:i:s”)." GMT");
header(‘Content-Type: text/html; charset=utf-8’);