[OpenID] Anti-phishing workarouund idea

John Kemp frumioj at mac.com
Thu Jan 18 20:35:07 UTC 2007


Gabe Wachob wrote:

> Many OP’s set a (session) cookie after you log in so that when you
> authenticate once in a browser session, you don’t have to authenticate
> again.  

How many users know that the authentication happens only once a browser
session vs. at the whim of their OP?

How many OPs are willing to set cookies that are valid for the length of
an entire browser session (which may be days or even months), rather
than a specific amount of time (an hour perhaps) determined by the P{s
clock, and not that of the client?

- J




More information about the general mailing list