[OpenID] Sharing OpenID between sites (and APIs)

Tan, William William.Tan at neustar.biz
Mon Jan 29 01:54:16 UTC 2007

There are privacy concerns here. If someone clicks on a link on the page 
with an openid_url=ID or lid=ID query parameter, it will show up in the 
referrer log of the target site. While it's not a password, it's still 
valuable information identifying the user.

Can't the RP implement a long-lived cookie that remembers the user, so 
that when a user revisits the site after a few days it'll check if the 
user is logged on at the IdP?


Johannes Ernst wrote:
> That's what the NetMesh code has been doing for about two years now.  
> It's rather handy for things like bookmarking a pair of page URL and  
> identity of user, not just page URL, so the bookmark is "show me this  
> page with me as owner" vs "show me this page as anonymous" vs. ...
> In our implementation, having an empty value for this parameter  
> (called lid= in our case) means "anonymous".
> On Jan 27, 2007, at 8:38, Stephen Paul Weber wrote:
>> Hello everyone :)
>>    I've been thinking a lot about the problem of having to sign in
>> with your OpenID at every site (unlike other, close, single sign on
>> where going to, say, Blogger when logged in at GMail automatically
>> logs you in).  This also applies to data-sharing between sites in an
>> authenticated API style.
>>    Basically, I think it makes sense for every page on an
>> OpenID-enabled site to accept ?openid_url=ID, instead of only the
>> login page.
>>    See my article for more :
>> <http://singpolyma-tech.blogspot.com/2007/01/openid-as-true-single- 
>> signon.html>
>>       Thoughts?
>> -- 
>> - Stephen Paul Weber, singpolyma.net
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list