- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Mon, 30 Sep 2024 02:23:30 +0000
- To: public-webauthn@w3.org
> In my implementation experience, challenges typically need to be associated with a particular session so that the server can verify that the assertion is signed over the expected challenge for that session. How would this association be expressed in a `challengeUrl`? I'm guessing you'd have to use either query parameters or a session cookie? If the challenge is at least 16 bytes of random data [as you recommend](https://github.com/w3c/webauthn/issues/1856#issuecomment-1438575614), then shouldn't that be enough to associate with a particular session since it's functionally globally unique? As long as the challenge is removed from memory of course. For example in my implementation, I have a hash table keyed by the 16-byte random challenges. This hash table contains the expiration of the challenge/ceremony. When a client sends a response, either the challenge is part of the hash table or not. If it is, it is removed from the hash table and the rest of the ceremony is completed. There is "session id" involved. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2152#issuecomment-2381879675 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 30 September 2024 02:23:31 UTC