[security] PAPE Policy for RPs to force authentication without browser cookie
James A. Donald
jamesd at echeque.com
Wed Jul 1 22:09:14 UTC 2009
Dick Hardt wrote:
> Given that we want to provide a similar flow, but the authentication is
> now done by the OP, what does Amazon do if the user pauses right after
> re-authenticating, but before completing the purchase?
You can pause for quite a long time, I would assume twenty minutes.
From the behavior I conjecture that Amazon has low privilege cookies
that never time out for interacting with the user, and high privilege
cookies for buying stuff that after a while get deprivileged. If you
want to buy stuff, you need a high privilege cookie.
In which case, the request should tell whether it wants to create a high
privilege or low privilege cookie, and the OP then considers whether it
has recently granted a high privilege authentication. If it has
recently granted a high privilege authentication, promptly grants
another, otherwise forces user to re login.
This account of the algorithm is theory based on casual observation,
which theory needs testing.
More information about the security
mailing list