[OT] our cookie expiration
Dick Hardt
dick at sxip.com
Mon Oct 9 04:35:19 UTC 2006
On 4-Oct-06, at 2:20 PM, Kevin Turner wrote:
> On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote:
>> it's been my experience that users are willing to trade an awful
>> lot of
>> security to avoid software nagging at them repeatedly.
>
> Which goes back to what Dick was saying about his myopenid.com login
> cookie not expiring. Users didn't like logging in after every time
> their browser restarted, so we made the cookie persistent.
Which I want to have happen for my OpenID transactions today, but I
would want the site to prompt for a password if I was doing something
important. The only way for the IdP to know that is for the RP to
tell it somehow -> auth_age request.
>
> Does that make us a "BadCitizen-IdP"? I don't believe it does.
> Expiring cookies sooner seems beneficial for a particular group of
> users, those who are:
>
> 1) cautious enough to not leave their myopenid.com password in their
> browser's password cache, and
> 2) careless enough to leave their desktops unlocked when unattended.
I only fall into category (2), but would like to get prompted when it
is important per above.
> The combination of those two contrasting qualities seems likely to
> be a
> small subset of our user base. We hoped the remaining users who
> really
> wanted to not have old login cookies laying around would avail
> themselves of the "sign off" button.
Signing off from myopenid.com is not readily available in my user-
experience.
Curious how you expect the user to goto the IdP to logout?
-- Dick
More information about the specs
mailing list