[OpenID] Durability of authorized sessions
Tony Locke
tlocke at tlocke.org.uk
Wed Nov 28 07:48:38 UTC 2007
Allen Tom wrote:
> [...] authorizing financial transactions generally requires that
> the credentials be relatively short lived (like an hour) and be tied to
> a specific IP address. In contrast, consumer oriented websites generally
> tend to issue long lived credentials that are not bound to an IP address
> (as consumers tend to roam and get re-IPed fairly often). A
> consumer-focused OpenID Provider may issue long lived credentials that
> persist across browser sessions and IP address changes so that their
> users don't need to type their password very often.
As I understand it, with OpenId it's the RP and not the Provider that
decides how long the original authentication lasts, and it's also the
RP that decides what constitutes a session (ie, whether a session is
broken by a change of IP address). I guess most RPs define a session
with a cookie that persists until you close the browser. More
stringent RPs could demand re-authentication every 30 minutes, say,
and on each change of IP, and perhaps if 10 minutes goes by without
any interaction.
Regards,
Tony.
More information about the general
mailing list