From 6bcd2bd766a05489401520704bd61bea74d63818 Mon Sep 17 00:00:00 2001 From: Eric Stern Date: Fri, 1 Mar 2024 17:46:20 -0800 Subject: [PATCH] Readme too --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 56c527c..a662259 100644 --- a/README.md +++ b/README.md @@ -69,8 +69,9 @@ Send it to the user as base64. ```php createChallenge(); +// Generate and manage challenge +$challenge = \Firehed\WebAuthn\ExpiringChallenge::withLifetime(300); +$challengeManager->manageChallenge($challenge); // Send to user header('Content-type: application/json'); @@ -223,7 +224,9 @@ $_SESSION['authenticating_user_id'] = $user['id']; // See examples/functions.php for how this works $credentialContainer = getCredentialsForUserId($pdo, $user['id']); -$challenge = $challengeManager->createChallenge(); +// Generate and manage challenge +$challenge = \Firehed\WebAuthn\ExpiringChallenge::withLifetime(300); +$challengeManager->manageChallenge($challenge); // Send to user header('Content-type: application/json'); @@ -595,6 +598,7 @@ In the event you find this necessary, you SHOULD open an Issue and/or Pull Reque Challenges generated by your server SHOULD expire after a short amount of time. You MAY use the `ExpiringChallenge` class for convenience (e.g. `$challenge = ExpiringChallenge::withLifetime(60);`), which will throw an exception if the specified expiration window has been exceeded. It is RECOMMENDED that your javascript code uses the `timeout` setting (denoted in milliseconds) and matches the server-side challenge expiration, give or take a few seconds. +W3C recommends timeouts between 5 and 10 minutes. > [!NOTE] > The W3C specification recommends a timeout in the range of 15-120 seconds.