Better error messages maybe? :-)

[Richard 'toast' Russo]

You could use OpenID to auth on example.org, and then on example.com
(where users are hijacking cookies), auth against example.org on
every request.

So as a user, I would have a cookie with my ID server (livejournal),
and example.org, but not example.com, which my friends can steal
cookies from.

Probably doesn't make your life any easier.

--- Jeremy Smith <jeremyrsmith at gmail.com> wrote:

> I see what you're saying.  My original idea was a site where people
> could ONLY log in through OpenID (as in, there are no user accounts
> for this site specifically) and then my site would not have to host
> any sensitive cookie information.  Then users could have their own
> javascript and other so-called "Web 2.0" nifties without being able
> to
> hijack other people's logins by stealing cookie information.
> 
> Looks like I should have thought it through better :-)
> 
> -Jeremy
> 
> On 8/15/05, Michael 'hacker' Krelin <hacker at klever.net> wrote:
> > On Mon, Aug 15, 2005 at 01:46:22PM -0700, Jeremy Smith wrote:
> > > By storing an assertion in the session, doesn't that leave the
> user
> > > vulnerable to replay attacks via cookie theft?  I was hoping
> using
> > 
> > As much as having persistent session (login, for instance) at
> all.
> > OpenID lets user confirm who they are like they would do with
> mere
> > password otherwise. It's up to you what to do with the user once
> > authenticated - use it, for instance, for adding comment and
> forget or
> > keep session information for the user (possibly associated with
> IP
> > address).
> > 
> > Love,
> > H
> > 
> > 
> > > OpenID for decentralized authentication would
> > > quell that problem.
> > >
> > > But now that I think about that, I guess there's no way to do
> it.  Hmmm.
> > >
> > > -Jeremy
> > >
> > > On 8/15/05, Martin Atkins <mart at degeneration.co.uk> wrote:
> > > > Jeremy Smith wrote:
> > > > >
> > > > > Now, another question: How is an OpenID consumer to deal
> with staying
> > > > > logged in?  Shall I verify the ID (entailing a series of
> redirects)
> > > > > for every page request?
> > > > >
> > > >
> > > > You should create a session of some description for your user
> which has
> > > > a duration of as long as you are willing to trust the
> assersion. How
> > > > long you are willing to allow is up to you, depending on the
> sensitivity
> > > > of your application and any other criteria you like. How you
> track the
> > > > session is entirely up to you as well.
> > > >
> > > > Re-verifying for every request is possible but certainly not
> a good
> > > > idea. For one thing, users whose ID servers don't have a
> "Yes, every
> > > > time" option will have to keep authorizing it over and over,
> and I'm
> > > > sure the identity servers themselves won't be too happy.
> > > >
> > > >
> > >
> >
> 
>