[OpenID] Persistent logins

Rowan Kerr rowan at sxip.com
Tue Mar 13 17:36:54 UTC 2007

On 13-Mar-07, at 10:20 AM, Max Metral wrote:
> I was afraid this might be the case.  It's a pretty big hole I would
> submit

Your UA will remember your session (don't have to re-authenticate),
or your UA will remember the identifier you used previously (only
have to click "login" to authenticate), or your UA will recognize
a standardized "open id" form and fill in your identifier
(only have to click "login").

If a user arrives at a site they've never been to before, yet
happens to be a partner of a site they have previously used
why force business partnerships on them by magically
authenticating them?

> In the end, if check_auth isn't server-to-server only, it would
> seem we'd need that mechanism.

Are you maybe looking for openid.mode = checkid_immediate?
That still goes through the UA to maintain sessions, cookies, etc
but can happen without user interaction.


More information about the general mailing list