[OpenID] OpenID RP: Storing persistent identifier cookie rather than authentication ticket cookie

Andrew Arnott andrewarnott at gmail.com
Mon Jul 13 19:57:54 UTC 2009 

I was assuming that the login session would be maintained by a
non-persistent cookie, and the OpenID identifier would be a persistent
cookie that would last (intentionally vague) a longer time.

Yes, there would be latency between log out of OP and effective auto-log-out
of RP to be sure.  But the "log out of OP, and every single RP" would be
reduced to "log out of OP, and close your browser".
Allen, you're point about checkid_immediate breaking in full-windows is very
well taken.  I'd completely forgotten about that.  I guess that forces me
into my backup/alternate plan of:

Every page that includes a "Login" link will include a snippet
(ASP.NETcontrol in my case) that tests for the ability to auto-login
the user via an
iframe checkid_immediate in the background.  This may use the persisted
identifier from a previous login, *and/or* just trying some popular OP
identifiers (in order to improve the user experience if the user is using an
unfamilar kiosk but has already logged into [popular OP]).  If the client
finds it gets a positive assertion, it changes or adds to the "Login" link
UI a message like "(auto-login now)", which forwards the positive assertion
to the server for processing and logs the user in without any further
interaction.  This is  sort of like Facebook's approach, except that instead
of dragging the user in, it lets the user click to login, but lets them know
that it will be a very quick, non-interactive process.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Mon, Jul 13, 2009 at 12:29 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> Andrew Arnott wrote:
>
>>
>> I've heard some reactions by users who were new to OpenID that were
>> surprised that logging out of the OP didn't automatically log them out of
>> the RPs.  I know we've had several "single-sign-out" threads on this list,
>> and this seems like it would solve it with no change to the OpenID spec.
>>
>
> Having the RP periodically send checkid_immediate requests to "refresh" the
> current session helps with the single sign out issue, but unless the RP does
> checkid_immediate on every page view, there will still be latency from the
> time the user signs out of the OP until when the user's session is expired
> on the RP.
>
> Also, this proposal doesn't address the case where the user signs out of
> the RP, and the sign out event needs to be propagated back up to the OP.
>
>   I think the approach I'm going to start with is the full-window redirect
>> using checkid_immediate,
>>
>
> Well, the Security Best Practices document says that OPs should verify that
> checkid_immediate is running within a frame, otherwise it could be exploited
> as an open redirector....
>
> http://wiki.openid.net/OpenID-Security-Best-Practices
>
> Allen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090713/4f98e965/attachment.htm>

More information about the general mailing list