[OpenID] Persistent logins
Nic James Ferrier
nferrier at tapsellferrier.co.uk
Tue Mar 13 11:34:28 UTC 2007
"Max Metral" <max at artsalliancelabs.com> writes:
> Our custom authentication system has a "remote logoff" capability.
> Basically, if you ask it to "remember login" it writes a persistent
> cookie that will "auto refresh" every 10 minutes or so (configurable
> time). This means that when you come to the site after that time has
> passed, we verify a hash inside the encrypted cookie still matches your
> password. So if you forget to logout, or your machine is compromised,
> you can change your password and those persistent cookies will become
> invalid.
>
>
>
> Now, we've added OpenID support to the system. We still want to allow
> persistent logon. If someone selects this option, how could I possibly
> provide the same "kill switch"?
You still issue a session cookie right?
The "logoff" is just invalidating the session cookie.
This is something I've been thinking about a lot over the last 2 days
tho... I think the "session" is just a marker for the authentication,
a bit like authentication is sometimes used for a session (ie: with
http auth).
But if the user has "logged out" of the IDP then a session cookie will
continue to work.
I think issued session cookies should quite often check with the IDP
to ensure that the user is still authenticated.
--
Nic Ferrier
----------------------------------------------------------
Need a linux/java/python/web hacker? I'm in need of work!
----------------------------------------------------------
http://www.tapsellferrier.co.uk
More information about the general
mailing list