I am writing the provider part of the OAuth protocol on the serverside and I'm cracking my ahead over how much of the nonces sent by OAuth consumers that I need to cache.
According to twitter's docs,
Twitter will only allow a nonce to be used once by your application. Prevents replayed requests.
The question: My implementation will just simply add each nonces received into memcached. But this will take up a lot of memory space. How much of the nonces should I ideally cache and for how long ?
Nonces only need to be unique for all requests using the same timestamp. You should deny requests with a timestamp older then 5 minutes so you only need to store nonces for 5 minutes.