<div>I was assuming that the login session would be maintained by a non-persistent cookie, and the OpenID identifier would be a persistent cookie that would last (intentionally vague) a longer time. </div><div><br></div>Yes, there would be latency between log out of OP and effective auto-log-out of RP to be sure. But the "log out of OP, and every single RP" would be reduced to "log out of OP, and close your browser".<div>
<br></div><div>Allen, you're point about checkid_immediate breaking in full-windows is very well taken. I'd completely forgotten about that. I guess that forces me into my backup/alternate plan of:</div><div><br>
</div><div>Every page that includes a "Login" link will include a snippet (<a href="http://ASP.NET">ASP.NET</a> control in my case) that tests for the ability to auto-login the user via an iframe checkid_immediate in the background. This may use the persisted identifier from a previous login, <i>and/or</i> just trying some popular OP identifiers (in order to improve the user experience if the user is using an unfamilar kiosk but has already logged into [popular OP]). If the client finds it gets a positive assertion, it changes or adds to the "Login" link UI a message like "(auto-login now)", which forwards the positive assertion to the server for processing and logs the user in without any further interaction. This is sort of like Facebook's approach, except that instead of dragging the user in, it lets the user click to login, but lets them know that it will be a very quick, non-interactive process.</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Jul 13, 2009 at 12:29 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I've heard some reactions by users who were new to OpenID that were surprised that logging out of the OP didn't automatically log them out of the RPs. I know we've had several "single-sign-out" threads on this list, and this seems like it would solve it with no change to the OpenID spec. <br>
</blockquote>
<br></div>
Having the RP periodically send checkid_immediate requests to "refresh" the current session helps with the single sign out issue, but unless the RP does checkid_immediate on every page view, there will still be latency from the time the user signs out of the OP until when the user's session is expired on the RP.<br>
<br>
Also, this proposal doesn't address the case where the user signs out of the RP, and the sign out event needs to be propagated back up to the OP.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I think the approach I'm going to start with is the full-window redirect using checkid_immediate,<br>
</blockquote>
<br></div>
Well, the Security Best Practices document says that OPs should verify that checkid_immediate is running within a frame, otherwise it could be exploited as an open redirector....<br>
<br>
<a href="http://wiki.openid.net/OpenID-Security-Best-Practices" target="_blank">http://wiki.openid.net/OpenID-Security-Best-Practices</a><br><font color="#888888">
<br>
Allen<br>
<br>
</font></blockquote></div><br></div>