[Openid-specs-ab] Results of session management editing session

Breno de Medeiros breno at google.com
Thu Oct 25 20:17:05 UTC 2012


On Thu, Oct 25, 2012 at 12:30 PM, Torsten Lodderstedt
<torsten at lodderstedt.net> wrote:
> Hi Breno,
>
> I haven't seen an inquiry for contributions. But nevertheless, I trust you
> experience and look forward to collect own experiences with the proposed
> mechanism.
>
> Is there a compelling strategy regarding the increasingly restritive 3rd
> party cookie handling by browsers?

The restrictive 3rd party cookie handling policies currently
implemented by browsers also prevent immediate flow. I expect this
issue will need to be eventually addressed at a much higher level than
the current session management draft. Unfortunately, there are no
obvious alternatives at this point. The alternative OP push proposal
can be made to work around such restrictive policies (since it's only
cookie deletion) but is otherwise quite difficult to implement and
somewhat brittle.

>
> regards,
> Torsten.
>
> Am 25.10.2012 19:21, schrieb Breno de Medeiros:
>
>> On Thu, Oct 25, 2012 at 10:13 AM, Torsten Lodderstedt
>> <torsten at lodderstedt.net> wrote:
>>>
>>> Hi Breno,
>>>
>>> did'nt realize that. When was this decision met?
>>
>> Since reasonably specific language describing the proposed mechanism
>> was not submitted and hence not evaluated, I believe that was not so
>> much a decision but a pragmatic consensus that evolved during the
>> regular group deliberations, i.e., via email or during the weekly
>> phone calls.
>>
>>> Regards,
>>> Torsten.
>>>
>>>
>>>
>>> Breno de Medeiros <breno at google.com> schrieb:
>>>>
>>>> On Thu, Oct 25, 2012 at 4:38 AM, Torsten Lodderstedt
>>>> <torsten at lodderstedt.net> wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> this draft does not describe the alternative/fallback mechanism to
>>>>> propagate
>>>>> logout events from OP to RPs via browser redirects we talked about at
>>>>> last
>>>>> IIW. When will this be added? Otherwise for none HTML 5 browsers, RPs
>>>>> will
>>>>> need to periodically check the state via a regular login request with
>>>>> mode
>>>>> prompt="none" in order to detect state changes.
>>>>
>>>>
>>>> We have decided against specifying this feature in the spec. We
>>>> believe that it adds significant complexity for diminishing returns
>>>> (as fewer browsers don't support HTML5).
>>>>
>>>>
>>>>> regards,
>>>>> Torsten.
>>>>>
>>>>> Am 25.10.2012 02:49, schrieb Mike Jones:
>>>>>
>>>>> Attached
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>>>
>>>>>
>>>>> ________________________________
>>>>>
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> --Breno
>>
>>
>>
>> --
>> --Breno
>
>



--
--Breno


More information about the Openid-specs-ab mailing list