[security] OpenID Security Best Practices Doc
Martin Atkins
mart at degeneration.co.uk
Tue Jun 9 19:59:48 UTC 2009
Allen Tom wrote:
>
> I believe that Facebook Connect takes the very extreme approach with
> requring Connect RPs to do the equivalent of checkid_immediate on every
> page view. This also has the nice benefit of enforcing single sign out
> across all RPs when the user signs out of Facebook. Not sure if this is
> the solution that OpenID should go with, however, it's certainly
> interesting.
>
I may be mistaken, but I believe the Facebook Connect check on every
page is not a security feature but rather a UX feature. Its purpose is
to keep the session state on the "RP" consistent with the session state
on Facebook to avoid strange situations where the RP presents
information from both backchannel API requests and client-side API
requests and these two actually represent different users.
However, it cannot be relied upon as a security feature without
additional protections because an attacker can simply prevent his user
agent from making the request to Facebook and thus keep the RP session
active. (You could potentially supplement this with additional
backchannel checks to ensure that the client-side request actually ran,
but as far as I'm aware Facebook Connect does not offer this today.)
In other words, it presents the illusion of single sign-out. It does
not, however, provide the security benefits of single sign-out. I cannot
simply log out of Facebook and assume that my session at RP sites has
also ended.
If I'm mistaken about this I'm happy to be corrected.
More information about the security
mailing list