[OpenID] Persistent logins

Carl Howells chowells at janrain.com
Tue Mar 13 18:01:04 UTC 2007


Max Metral wrote:
> I was afraid this might be the case.  It's a pretty big hole I would
> submit, because sites aren't going to make their members suffer by
> having to login repeatedly (if they don't want to), but members
> shouldn't have to answer that question many times, and I shouldn't have
> to sacrifice the ability to undo a previous decision (on a different
> machine).  So either the IDPs have to start implementing custom tools,
> or the protocol needs an extension. (or I'm missing something)

You should take a look at how http://jyte.com/ manages user authentication.

When a user authenticates, jyte sets two cookies: a session cookie that 
contains an is-logged-in credential, and a long-term cookie that 
contains the identifier the user authenticated with.

When a user visits jyte.com without the is-logged-in credential, the 
site looks for the last-authenticated cookie.  If it finds one, it 
performs a checkid_immediate request.  If successful, the user is given 
a new is-logged-in credential at the browser session level.  Because of 
the nature of the checkid_immediate request, the process is invisible to 
the user, but it serves to ensure that the user is still authenticated 
with their IDP.

The log out button clears both of those cookies, to prevent surprise 
logging in.

It wouldn't be too much work to adapt a system like to any other 
re-check schedule, and it requires no extra support from IDPs, and will 
happen completely transparently to users, *if* the user has chosen to 
always log in to the site in question.

Carl



More information about the general mailing list