[Openid-specs-ab] Session Management Demo Code
emmanuel at raviart.com
Mon Jul 30 17:08:18 UTC 2012
I have also implemented session management support using this sample code.
But I have one remark and one problem:
- The remark: The OP cookie must not have the flag httpOnly set.
Otherwise it is not readable by the OP iframe (ie window.cookie returns
always ""). Since I don't want to use an insecure cookie for managing
user authentication, I had to create a new cookie dedicated to session
management and never read by the server.
- The problem: The OP cookie can never be read by OP iframe when you
don't accept third-party cookies. I had to enable third-party cookies in
the browser settings before being able to have a working session management.
Because of this problem, I currently believe it is not realistic to use
an OP cookie in an OP iframe for session management.
On 07/26/2012 12:08 AM, Nat Sakimura wrote:
> Ryo Ito created a sample code for the Session management spec.
> Here it is: https://gist.github.com/3149557
> Thanks Ryo!
> =nat via iPhone
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab