Tie nonces to the current session
|Reported by:||ryan||Owned by:|
|Cc:||scribu, johnbillion, juliobosk@…|
Owasp specifies that "the synchronizer token pattern requires the generating of random challenge tokens that are associated with the user's current session." Our nonces have a timeout, but that timeout can span cookie sessions. Instead, nonces should be somehow tied to the current auth cookie and invalidate whenever the cookie invalidates.