[OpenID] Persistent logins

Max Metral max at artsalliancelabs.com
Tue Mar 13 11:20:34 UTC 2007


Our custom authentication system has a "remote logoff" capability.
Basically, if you ask it to "remember login" it writes a persistent
cookie that will "auto refresh" every 10 minutes or so (configurable
time).  This means that when you come to the site after that time has
passed, we verify a hash inside the encrypted cookie still matches your
password.  So if you forget to logout, or your machine is compromised,
you can change your password and those persistent cookies will become
invalid.

 

Now, we've added OpenID support to the system.  We still want to allow
persistent logon.  If someone selects this option, how could I possibly
provide the same "kill switch"?

 

Thanks,

--Max

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070313/a0f04ed7/attachment-0002.htm>


More information about the general mailing list