I have discussed various issues here about generating nonce and PHP, but have not found discussions about the details of managing the "once" aspect of nonce.
Here is my situation.
I have some PHP that needs to access the web service, and web service requests require my PHP to generate nonce and sign the request (i.e. I am not requesting nonce from webservice). This part is simple.
I am struggling with a good solution to prevent reuse of nonce when there may be multiple sessions.
As I see, there are three things that I could do.
One of them is to store nonce / timestamp pairs in the database, and then implement the logic to check the database for an existing nonce, expiration of old ones, etc. This will also require TRANSACTIONor LOCK TABLEfor flow safety. Ugh.
Two, this is to save nonces in saving nonces in APC (cannot use memcached in my case), and let the TTL descriptor expire. In this case, to ensure thread safety, do you need to wrap the logic in sem_acquire()/ sem_release()or is it apc_add()really thread safe? My main concern about this is how to deal with the situation if apc_add()or apc_store()really crashes because the cache is full.
Three, this is using Cache_Lite instead of APC.
? , OpenID nonce Cache_Lite, , , , .
.