[OpenID] Persistent logins
Rowan Kerr
rowan at sxip.com
Tue Mar 13 17:36:54 UTC 2007
On 13-Mar-07, at 10:20 AM, Max Metral wrote:
> I was afraid this might be the case. It's a pretty big hole I would
> submit
Your UA will remember your session (don't have to re-authenticate),
or your UA will remember the identifier you used previously (only
have to click "login" to authenticate), or your UA will recognize
a standardized "open id" form and fill in your identifier
(only have to click "login").
If a user arrives at a site they've never been to before, yet
happens to be a partner of a site they have previously used
why force business partnerships on them by magically
authenticating them?
> In the end, if check_auth isn't server-to-server only, it would
> seem we'd need that mechanism.
Are you maybe looking for openid.mode = checkid_immediate?
That still goes through the UA to maintain sessions, cookies, etc
but can happen without user interaction.
-Rowan
More information about the general
mailing list