Better error messages maybe? :-)

Martin Atkins mart at degeneration.co.uk
Mon Aug 15 12:59:52 PDT 2005


Jeremy Smith wrote:
> 
> Now, another question: How is an OpenID consumer to deal with staying
> logged in?  Shall I verify the ID (entailing a series of redirects)
> for every page request?
> 

You should create a session of some description for your user which has
a duration of as long as you are willing to trust the assersion. How
long you are willing to allow is up to you, depending on the sensitivity
of your application and any other criteria you like. How you track the
session is entirely up to you as well.

Re-verifying for every request is possible but certainly not a good
idea. For one thing, users whose ID servers don't have a "Yes, every
time" option will have to keep authorizing it over and over, and I'm
sure the identity servers themselves won't be too happy.



More information about the yadis mailing list