Better error messages maybe? :-)

Jeremy Smith jeremyrsmith at
Mon Aug 15 13:46:22 PDT 2005

By storing an assertion in the session, doesn't that leave the user
vulnerable to replay attacks via cookie theft?  I was hoping using
OpenID for decentralized authentication would
quell that problem.

But now that I think about that, I guess there's no way to do it.  Hmmm.


On 8/15/05, Martin Atkins <mart at> wrote:
> Jeremy Smith wrote:
> >
> > Now, another question: How is an OpenID consumer to deal with staying
> > logged in?  Shall I verify the ID (entailing a series of redirects)
> > for every page request?
> >
> You should create a session of some description for your user which has
> a duration of as long as you are willing to trust the assersion. How
> long you are willing to allow is up to you, depending on the sensitivity
> of your application and any other criteria you like. How you track the
> session is entirely up to you as well.
> Re-verifying for every request is possible but certainly not a good
> idea. For one thing, users whose ID servers don't have a "Yes, every
> time" option will have to keep authorizing it over and over, and I'm
> sure the identity servers themselves won't be too happy.

More information about the yadis mailing list