[OpenID] general Logout / Signout Problem with OpenID

Andrew Arnott andrewarnott at gmail.com
Thu Jul 23 13:34:04 UTC 2009 

The problem you describe is worse than that.  If the user leaves the
computer with their session to their OpenID Provider active, not only can a
stranger access all data at that provider (like Gmail, blog and calendar in
the case of Google), but the stranger can log into ANY OpenID RP... not just
the one that the earlier user just logged out of.
And since OpenID doesn't prescribe a way for RPs to automatically log users
out of the OPs, the best thing you can do at the RP is after the user clicks
"Log Out" to display a noticeable message saying "Don't forget to log out of
[OpenID Provider] as well".
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, Jul 23, 2009 at 4:50 AM, zlzc2000 <zlzc2001 at hotmail.com> wrote:

>
> Dear Forum ,
>
> Im developing a OpenID solution using the Java library openID4java. After a
> user signed in, I can manage the Logout for my Website. But if the user
> klicks the OpenID-login button again, my site redirects the request
> implicit
> to the for example google server wich still has a "open" session. Therefore
> goole veryfies my request positive and the user relogs in without giving a
> passwort again, wich means that my site
> constructs a new session with the old useraccount.
> This would be a problem, if someone in a public place logs of the page and
> 2
> minutes later someone else is able to "continue" his session.
> I didnt find any API call to finish the session for the OpenID server maybe
> someone has a hint for me to resolve this problem ,
>
> thanks a lot !
>
> regards,
>
>
>
> --
> View this message in context:
> http://www.nabble.com/general-Logout---Signout-Problem-with-OpenID-tp24624173p24624173.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090723/4e1eb783/attachment.htm>

More information about the general mailing list