Fingerprint For State

[Paul Tiseo]

When doing third-party oAuth2 authentication, you really should supply the state parameter to prevent forgery attacks. Usually, you hash something known, but variable to each authentication attempt, say clientID or timestamp.

I was considering hashing data.connection.fingerprint, which would mean one can avoid having to store the value used (before hashing) to the DB, but still allow easy comparison/verification.

Does anyone see any potential issue with this approach?

[Evan Tahler]

Seems fine to me!  

For HTTP clients (which I assume you are using due to oAuth), the fingerprint is stored in a cookie, and is sufficiently random enough.  Just do the normal cookie protection stuff (HTTP-only, SSL, etc), and you sould be fine.