[OpenID] Persistent logins
Max Metral
max at artsalliancelabs.com
Tue Mar 13 11:53:58 UTC 2007
I took this off list by accident. Here's what we said:
Nic said:
> In the case of persistent logon we do not issue a session cookie, we
> issue persistent cookies.
Sorry... I meant "session cookie" in the generic sense that it records a
session between the user and the site... even if that session lasts
longer than a browser session.
> The problem with repeatedly checking with the IDP is that I'm subject
> to the IDPs uptime in a much more painful way. (Maybe there's an Ajax
> sol'n to this problem, but not always). Not only can their going down
> cost me a transaction, if the user didn't specify "allow always"
> they're going to need to give permission again. (and I submit they
> shouldn't because they asked to be persistently logged on to my
service).
Can't you just do a check auth in this instance?
To ensure the sig is still valid?
> The *real* answer to this problem would be some sort of server to
> server call that allowed the IDP to reverify. But obviously that
> would be new protocol, which is unpleasant.
Check_auth?
-----
Then I said:
It's very possible I'm misunderstanding check_auth, because it did look
good at first. The way I read it, that still has to be done by the user
browser, even though it might be done in the background/async. If not,
where does it get any value to provide to the IDP to actually check
something?
-----Original Message-----
From: Nic James Ferrier [mailto:nferrier at tapsellferrier.co.uk]
Sent: Tuesday, March 13, 2007 7:34 AM
To: Max Metral
Cc: general at openid.net
Subject: Re: [OpenID] Persistent logins
"Max Metral" <max at artsalliancelabs.com> writes:
> Our custom authentication system has a "remote logoff" capability.
> Basically, if you ask it to "remember login" it writes a persistent
> cookie that will "auto refresh" every 10 minutes or so (configurable
> time). This means that when you come to the site after that time has
> passed, we verify a hash inside the encrypted cookie still matches
your
> password. So if you forget to logout, or your machine is compromised,
> you can change your password and those persistent cookies will become
> invalid.
>
>
>
> Now, we've added OpenID support to the system. We still want to allow
> persistent logon. If someone selects this option, how could I
possibly
> provide the same "kill switch"?
You still issue a session cookie right?
The "logoff" is just invalidating the session cookie.
This is something I've been thinking about a lot over the last 2 days
tho... I think the "session" is just a marker for the authentication,
a bit like authentication is sometimes used for a session (ie: with
http auth).
But if the user has "logged out" of the IDP then a session cookie will
continue to work.
I think issued session cookies should quite often check with the IDP
to ensure that the user is still authenticated.
--
Nic Ferrier
----------------------------------------------------------
Need a linux/java/python/web hacker? I'm in need of work!
----------------------------------------------------------
http://www.tapsellferrier.co.uk
More information about the general
mailing list