[OpenID] Persistent logins
chowells at janrain.com
Tue Mar 13 18:01:04 UTC 2007
Max Metral wrote:
> I was afraid this might be the case. It's a pretty big hole I would
> submit, because sites aren't going to make their members suffer by
> having to login repeatedly (if they don't want to), but members
> shouldn't have to answer that question many times, and I shouldn't have
> to sacrifice the ability to undo a previous decision (on a different
> machine). So either the IDPs have to start implementing custom tools,
> or the protocol needs an extension. (or I'm missing something)
You should take a look at how http://jyte.com/ manages user authentication.
When a user authenticates, jyte sets two cookies: a session cookie that
contains an is-logged-in credential, and a long-term cookie that
contains the identifier the user authenticated with.
When a user visits jyte.com without the is-logged-in credential, the
site looks for the last-authenticated cookie. If it finds one, it
performs a checkid_immediate request. If successful, the user is given
a new is-logged-in credential at the browser session level. Because of
the nature of the checkid_immediate request, the process is invisible to
the user, but it serves to ensure that the user is still authenticated
with their IDP.
The log out button clears both of those cookies, to prevent surprise
It wouldn't be too much work to adapt a system like to any other
re-check schedule, and it requires no extra support from IDPs, and will
happen completely transparently to users, *if* the user has chosen to
always log in to the site in question.
More information about the general