[OT] our cookie expiration

Josh Hoyt josh at janrain.com
Mon Oct 9 08:12:27 UTC 2006


On 10/8/06, Dick Hardt <dick at sxip.com> wrote:
> [...] I would want the site to prompt for a password if I was doing something
> important. The only way for the IdP to know that is for the RP to
> tell it somehow -> auth_age request.

This is only useful in conjunction with signed requests. A malicious
3rd party could easily remove whatever parameter(s) in the request
that made the IdP prompt for the password. If the request is not
signed, it's a false sense of security at best.

Josh



More information about the specs mailing list