I would like to use the Unix Time to avoid replay attacks to my web service. I would like the clients to add this value with the request amongst other security tokens. Then my server would also compute this value and accept what the client sent to me within a given error margin.
Now, my question is this: If i tell my clients that i will accept an error margin of around 200. Less or greater than.
But can it really ever be greater than ?
Also, does it depend on the system date-time settings of the client sending me the request ?
Also, how do i decide an appropriate error margin so that i do not refuse genuine requests ?
But can it really ever be greater than?
Yes! You know nothing about the client clock. It may be minutes or hours wrong! You cannot trust the client clock anyway so I suggest you record the time in some sort of session on your server side and then do your calculations based on that.
Also, does it depend on the system date-time settings of the client sending me the request?
Yes. You can use the
Date.getUTCxxx()functions in JS to get everything in the same timezone but you cannot trust the client to have a properly set clock.Also, how do i decide an appropriate error margin so that i do not refuse genuine requests?
This depends on your service. Do you expect an immediate reply? Should the user do some work? Is it possible that the user loads a page and then leaves the computer to brew some nice, full roasted coffee for himself and his coworkers?