Better error messages maybe? :-)

Michael 'hacker' Krelin hacker at
Mon Aug 15 13:51:00 PDT 2005

On Mon, Aug 15, 2005 at 01:46:22PM -0700, Jeremy Smith wrote:
> By storing an assertion in the session, doesn't that leave the user
> vulnerable to replay attacks via cookie theft?  I was hoping using

As much as having persistent session (login, for instance) at all.
OpenID lets user confirm who they are like they would do with mere
password otherwise. It's up to you what to do with the user once
authenticated - use it, for instance, for adding comment and forget or
keep session information for the user (possibly associated with IP


> OpenID for decentralized authentication would
> quell that problem.
> But now that I think about that, I guess there's no way to do it.  Hmmm.
> -Jeremy
> On 8/15/05, Martin Atkins <mart at> wrote:
> > Jeremy Smith wrote:
> > >
> > > Now, another question: How is an OpenID consumer to deal with staying
> > > logged in?  Shall I verify the ID (entailing a series of redirects)
> > > for every page request?
> > >
> > 
> > You should create a session of some description for your user which has
> > a duration of as long as you are willing to trust the assersion. How
> > long you are willing to allow is up to you, depending on the sensitivity
> > of your application and any other criteria you like. How you track the
> > session is entirely up to you as well.
> > 
> > Re-verifying for every request is possible but certainly not a good
> > idea. For one thing, users whose ID servers don't have a "Yes, every
> > time" option will have to keep authorizing it over and over, and I'm
> > sure the identity servers themselves won't be too happy.
> > 
> >

More information about the yadis mailing list