[OpenID] Persistent logins

Max Metral max at artsalliancelabs.com
Tue Mar 13 11:53:58 UTC 2007

I took this off list by accident.  Here's what we said:

Nic said:

> In the case of persistent logon we do not issue a session cookie, we 
> issue persistent cookies.

Sorry... I meant "session cookie" in the generic sense that it records a
session between the user and the site... even if that session lasts
longer than a browser session.

> The problem with repeatedly checking with the IDP is that I'm subject 
> to the IDPs uptime in a much more painful way.  (Maybe there's an Ajax

> sol'n to this problem, but not always).  Not only can their going down

> cost me a transaction, if the user didn't specify "allow always" 
> they're going to need to give permission again. (and I submit they 
> shouldn't because they asked to be persistently logged on to my

Can't you just do a check auth in this instance?

To ensure the sig is still valid?

> The *real* answer to this problem would be some sort of server to 
> server call that allowed the IDP to reverify.  But obviously that 
> would be new protocol, which is unpleasant.



Then I said:

It's very possible I'm misunderstanding check_auth, because it did look
good at first.  The way I read it, that still has to be done by the user
browser, even though it might be done in the background/async.  If not,
where does it get any value to provide to the IDP to actually check

-----Original Message-----
From: Nic James Ferrier [mailto:nferrier at tapsellferrier.co.uk] 
Sent: Tuesday, March 13, 2007 7:34 AM
To: Max Metral
Cc: general at openid.net
Subject: Re: [OpenID] Persistent logins

"Max Metral" <max at artsalliancelabs.com> writes:

> Our custom authentication system has a "remote logoff" capability.
> Basically, if you ask it to "remember login" it writes a persistent
> cookie that will "auto refresh" every 10 minutes or so (configurable
> time).  This means that when you come to the site after that time has
> passed, we verify a hash inside the encrypted cookie still matches
> password.  So if you forget to logout, or your machine is compromised,
> you can change your password and those persistent cookies will become
> invalid.
> Now, we've added OpenID support to the system.  We still want to allow
> persistent logon.  If someone selects this option, how could I
> provide the same "kill switch"?

You still issue a session cookie right?

The "logoff" is just invalidating the session cookie.

This is something I've been thinking about a lot over the last 2 days
tho... I think the "session" is just a marker for the authentication,
a bit like authentication is sometimes used for a session (ie: with
http auth).

But if the user has "logged out" of the IDP then a session cookie will
continue to work.

I think issued session cookies should quite often check with the IDP
to ensure that the user is still authenticated.

Nic Ferrier
Need a linux/java/python/web hacker?  I'm in need of work!

More information about the general mailing list