[OpenID] OpenID RP: Storing persistent identifier cookie rather than authentication ticket cookie
Allen Tom
atom at yahoo-inc.com
Mon Jul 13 19:29:13 UTC 2009
Andrew Arnott wrote:
>
> I've heard some reactions by users who were new to OpenID that were
> surprised that logging out of the OP didn't automatically log them out
> of the RPs. I know we've had several "single-sign-out" threads on
> this list, and this seems like it would solve it with no change to the
> OpenID spec.
>
Having the RP periodically send checkid_immediate requests to "refresh"
the current session helps with the single sign out issue, but unless the
RP does checkid_immediate on every page view, there will still be
latency from the time the user signs out of the OP until when the user's
session is expired on the RP.
Also, this proposal doesn't address the case where the user signs out of
the RP, and the sign out event needs to be propagated back up to the OP.
> I think the approach I'm going to start with is the full-window
> redirect using checkid_immediate,
Well, the Security Best Practices document says that OPs should verify
that checkid_immediate is running within a frame, otherwise it could be
exploited as an open redirector....
http://wiki.openid.net/OpenID-Security-Best-Practices
Allen
More information about the general
mailing list