[OpenID] Persistent logins

Calvin Cheng cxcheng at mac.com
Tue Mar 13 21:00:46 UTC 2007

This is not part of the session problem then. If you have a specific OpenID linked to a specific IDP. If the IDP becomes unavailable, you will need to find ways to deal with it, perhaps allow the user to link their existing account to a new IDP. That's a good problem that I think we'll have to deal with. I listened to a presentation on password recovery process and it's no joke the amount of effort that they had to go through to make sure it's i) easy enough for dumb users, ii) secure enough from the malicious, and iii) complies with their legal requirements.

On the long term cookie issue, we still have the usability problem of requiring the user to allow validation forever as opposed to a single use basis. I'm thinking it would be useful to have finer level of granularity, ie. validation for 10 min or 10 hours. The IDP can return an encrypted token to contain that information which will be part of the session cookie that would need to be passed subsequently.

On Tuesday, March 13, 2007, at 01:50PM, "Max Metral" <max at artsalliancelabs.com> wrote:
>I agree this works, but I'm not sure all sites will sign up to denying a
>user entry because a (massively decentralized) IDP went down.  As of now
>I'm one of those not willing to sign up for it, but I haven't decided if
>I'm being unreasonable or not. :)
>-----Original Message-----
>From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>Behalf Of Johannes Ernst
>Sent: Tuesday, March 13, 2007 4:47 PM
>To: Carl Howells
>Cc: general at openid.net
>Subject: Re: [OpenID] Persistent logins
>On Mar 13, 2007, at 11:01, Carl Howells wrote:
>> You should take a look at how http://jyte.com/ manages user 
>> authentication.
>> When a user authenticates, jyte sets two cookies: a session cookie 
>> that contains an is-logged-in credential, and a long-term cookie that 
>> contains the identifier the user authenticated with.
>Hey, that sounds just like the LID one! ;-)
>Not surprisingly, I agree that this is a good approach.
>Johannes Ernst
>NetMesh Inc.
>general mailing list
>general at openid.net

More information about the general mailing list