[Openid-specs-ab] Session Management Demo Code
Emmanuel Raviart
emmanuel at raviart.com
Mon Jul 30 17:08:18 UTC 2012
I have also implemented session management support using this sample code.
But I have one remark and one problem:
- The remark: The OP cookie must not have the flag httpOnly set.
Otherwise it is not readable by the OP iframe (ie window.cookie returns
always ""). Since I don't want to use an insecure cookie for managing
user authentication, I had to create a new cookie dedicated to session
management and never read by the server.
- The problem: The OP cookie can never be read by OP iframe when you
don't accept third-party cookies. I had to enable third-party cookies in
the browser settings before being able to have a working session management.
Because of this problem, I currently believe it is not realistic to use
an OP cookie in an OP iframe for session management.
-- Emmanuel
On 07/26/2012 12:08 AM, Nat Sakimura wrote:
> Ryo Ito created a sample code for the Session management spec.
>
> Here it is: https://gist.github.com/3149557
>
> Thanks Ryo!
>
> =nat via iPhone
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list