[OpenID] Automatic login with checkid_immediate
SitG Admin
sysadmin at shadowsinthegarden.com
Wed May 20 16:28:17 UTC 2009
>If you're signed in to your Gmail account and you use your Gmail
>account as your OpenID, why wouldn't you want to automatically be
>signed in to all the sites that you've linked your Gmail identity to
>(that's rhetorical - I can think of reasons too)?
The only one occurring to me is privacy. From a security perspective,
if various RP's will accept OpenID logins from the terminal you're at
as having your Google identity, without Google requiring further
verification from the user at this terminal (only PRESUMED to be
you), there is no difference between being logged out of a given RP
and being logged back in - because you still CAN log back in, or
anyone with access to the same terminal can, without any further
verification.
A time field for "how long ago has user authenticated to OP" would be
nice here; RP's could compare to "when users opted to log out" to
detect this kind of attack. (It would still not work well with
*other* RP's supporting Google identity.)
-Shade
More information about the general
mailing list