[OpenID] OpenID RP: Storing persistent identifier cookie rather than authentication ticket cookie
Allen Tom
atom at yahoo-inc.com
Mon Jul 13 20:05:19 UTC 2009
Having the RP issue its local authentication credentials in a session
cookie that is automatically cleared when the browser is closed, sounds
like a very good idea.
Storing the user's OpenID in a persistent cookie which can be used to
generate checkid_immediate requests on followup visits after a browser
restart (which results in the authentication session cookie being
re-issued) also sounds like a good idea.
Allen
Andrew Arnott wrote:
> I was assuming that the login session would be maintained by a
> non-persistent cookie, and the OpenID identifier would be a persistent
> cookie that would last (intentionally vague) a longer time.
>
> Yes, there would be latency between log out of OP and effective
> auto-log-out of RP to be sure. But the "log out of OP, and every
> single RP" would be reduced to "log out of OP, and close your browser".
More information about the general
mailing list