Once more, LJ valid_to timespan.

Richard 'toast' Russo russor at msoe.edu
Fri Jul 1 10:04:59 PDT 2005


On Fri, 1 Jul 2005, Carl Howells wrote:

> Once again, I'd like to bring up LJ's openid server's return valid_to. It's 
> still set only one minute in the future.  I believe that shows a 
> misunderstanding of the spec, and should be corrected.
>
> As I understand the spec (and others have agreed with my interpretation), the 
> valid_to date is NOT how long the user and consumer have to complete the 
> login process.  Rather, it's how long the server is allowing the user to stay 
> logged in to the consumer site.
>
> Having the valid_to time set at only one minute into the future is awful.  It 
> requires all spec-compliant consumers to re-authorize the user every minute. 
> This is really strange behavior on the part of an openid server, as it 
> guarantees that it will constantly be hammered with checkid_* requests from 
> consumers that have followed the spec.
>
> Please up this to a more useful value.  An hour seems like the absolute 
> minimum useful time.  A day sounds like a reasonable choice at the low end. 
> A week doesn't seem unreasonably long.
>

A week seems pretty unreasonably long to me.  Especially if you're not 
using session cookies. That allows plenty of time for me to log out of 
livejournal, and my roomate to get on my computer and use some other site 
pretending to be me.  And maybe not even realize it.  (If we're friends, 
and we both go to the same meme site because one of our common friends 
suggested it).  Since OpenID provides single sign on (effectively), it's 
not unreasonable for users to expect single sign off.

One minute is probably too little.  15 minutes to an hour would be my off 
the cuff recommendation.


> I know we're not the only ones who've run into this and thought it's a very 
> strange decision.
>
> Carl
>

-- 
Success! You are foaf http://openid.enslaves.us/


More information about the yadis mailing list