[OpenID] Autologin?

[SitG Admin]

>1) If the user authenticates once with their OP, then hits "allow 
>this site to remember me", I guess I'm returned some info from the 
>OP about that decision. So then I would write a cookie about their 
>decision. What would I include in the cookie - just their OpenID 
>username/url right? That way when they visit my site again, I grab 
>the name from the cookie, then just run the login service again 
>immediately?

If you're using SSL to protect the login service, thus enabling users 
to enter their URI so observers on the network can't see it, I would 
recommend *against* this (unless your login page is also on a 
separate subdomain of the site and your cookie is restricted to that 
specifically), because the user would send that cookie when they 
first connected to the site (say, requesting '/'), and their URI 
would then become exposed.

This is a fairly specific scenario, though, so in most cases I don't 
think privacy would be affected. Keeping track of the URI is more 
efficient than using a random ID and indefinitely maintaining a 
database to link up those ID's with URI's.

-Shade