Better error messages maybe? :-)
Jeremy Smith
jeremyrsmith at gmail.com
Mon Aug 15 13:46:22 PDT 2005
By storing an assertion in the session, doesn't that leave the user
vulnerable to replay attacks via cookie theft? I was hoping using
OpenID for decentralized authentication would
quell that problem.
But now that I think about that, I guess there's no way to do it. Hmmm.
-Jeremy
On 8/15/05, Martin Atkins <mart at degeneration.co.uk> wrote:
> Jeremy Smith wrote:
> >
> > Now, another question: How is an OpenID consumer to deal with staying
> > logged in? Shall I verify the ID (entailing a series of redirects)
> > for every page request?
> >
>
> You should create a session of some description for your user which has
> a duration of as long as you are willing to trust the assersion. How
> long you are willing to allow is up to you, depending on the sensitivity
> of your application and any other criteria you like. How you track the
> session is entirely up to you as well.
>
> Re-verifying for every request is possible but certainly not a good
> idea. For one thing, users whose ID servers don't have a "Yes, every
> time" option will have to keep authorizing it over and over, and I'm
> sure the identity servers themselves won't be too happy.
>
>
More information about the yadis
mailing list