[OpenID] Feedback from OpenID demo

[SitG Admin]

>Doing some kind of call to the OP on every request (or every few 
>requests), much as is done with Facebook Connect today, can solve 
>this problem, but it creates new problems

I currently leave the OpenID headers missing from my site, and the OP 
unavailable; if I ever want to log in with OpenID, these can both be 
put back in place just long enough for that. If a RP were to check 
back in again later on, when I had not explicitly commanded it to do 
so (and thus been expecting that, in advance, so I knew to make this 
possible), it would then experience an error.

Repeated calls seem improper; the *user* is maintaining an active 
session with the RP, their OP is not (maintaining an active session). 
The user shouldn't find their session automatically terminated just 
because the OP can't send a "keep-alive" signal (when prompted) every 
few requests.

I again think that we are losing the difference between being "logged 
out" and "logged in" - with our old password system, a credential can 
be presented *at the moment of authentication ONLY*, and will not 
automatically be repeated for any other site. (Nor need it be 
retained by the RP, which stores in session the fact that this user 
has authenticated successfully, and does not need to compare the 
user's password to their database again. Which sounds very much like 
OpenID.) What we're looking at here, with auto-login, is a 
three-way-session during which the RP, the user, and the OP must all 
be active and talking to one another; but with the OP automatically 
logging in users to the RP, the RP can't rely on its *own* session 
automatically logging out a user, because the "user" (or attacker, at 
that terminal) will simply be logged back in again by their OP.

-Shade