[OpenID] Persistent logins

Nic James Ferrier nferrier at tapsellferrier.co.uk
Tue Mar 13 11:34:28 UTC 2007

"Max Metral" <max at artsalliancelabs.com> writes:

> Our custom authentication system has a "remote logoff" capability.
> Basically, if you ask it to "remember login" it writes a persistent
> cookie that will "auto refresh" every 10 minutes or so (configurable
> time).  This means that when you come to the site after that time has
> passed, we verify a hash inside the encrypted cookie still matches your
> password.  So if you forget to logout, or your machine is compromised,
> you can change your password and those persistent cookies will become
> invalid.
> Now, we've added OpenID support to the system.  We still want to allow
> persistent logon.  If someone selects this option, how could I possibly
> provide the same "kill switch"?

You still issue a session cookie right?

The "logoff" is just invalidating the session cookie.

This is something I've been thinking about a lot over the last 2 days
tho... I think the "session" is just a marker for the authentication,
a bit like authentication is sometimes used for a session (ie: with
http auth).

But if the user has "logged out" of the IDP then a session cookie will
continue to work.

I think issued session cookies should quite often check with the IDP
to ensure that the user is still authenticated.

Nic Ferrier
Need a linux/java/python/web hacker?  I'm in need of work!

More information about the general mailing list