[Openid-specs-ab] Session Management Demo Code

Emmanuel Raviart emmanuel at raviart.com
Mon Jul 30 17:08:18 UTC 2012

I have also implemented session management support using this sample code.

But I have one remark and one problem:

- The remark: The OP cookie must not have the flag httpOnly set. 
Otherwise it is not readable by the OP iframe (ie window.cookie returns 
always ""). Since I don't want to use an insecure cookie for managing 
user authentication, I had to create a new cookie dedicated to session 
management and never read by the server.

- The problem: The OP cookie can never be read by OP iframe when you 
don't accept third-party cookies. I had to enable third-party cookies in 
the browser settings before being able to have a working session management.

Because of this problem, I currently believe it is not realistic to use 
an OP cookie in an OP iframe for session management.

-- Emmanuel

On 07/26/2012 12:08 AM, Nat Sakimura wrote:
> Ryo Ito created a sample code for the Session management spec.
> Here it is: https://gist.github.com/3149557
> Thanks Ryo!
> =nat via iPhone
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list