Once more, LJ valid_to timespan.
Kristopher Tate
kris at bbridgetech.com
Fri Jul 1 10:07:38 PDT 2005
I happen to like the way Brad et al. have set livejournal to 60
seconds, and his original interpretation.
If you take a look at LJ or any other consumer, you'll see that even if
it was set to a longer time, it really wouldn't matter. Why? Try
logging in. As long as the user is allowed to save a cookie on
livejournal.com that will enable him or her to login forever or just
until the browser closes, what you said doesn't really take any
precedence besides "re-authing". Although, if our interpretation says
that this is only an allotted time for the login process, that whole
issue drops-out completely.
Quite frankly, the generation of associate handles and keys are so
cheap that why not set the time low? This is better security wise
because every time someone wants to login, they are given a new
assoc_handle and mac_key/dh info.
The downside is one that if one logs-out of their ID server, what
ends-up happening is that they are still logged into the consumer.
Here's what I recommend:
On Level9's WebKit, after we have extended to a site that xyz user is
logged-in, if xyz user decides to log-out of any Level9 WebKit service
or <mylevel9.com>, Our servers will go to each site and tell the sites
that xyz user has logged out. We do this via XMLRPC, but it could
easily be implemented via http-post. We need a mode that logs users
out.
-Kris
On 2005/07/01, at 9:54 AM, Carl Howells wrote:
> Once again, I'd like to bring up LJ's openid server's return valid_to.
> It's still set only one minute in the future. I believe that shows a
> misunderstanding of the spec, and should be corrected.
>
> As I understand the spec (and others have agreed with my
> interpretation), the valid_to date is NOT how long the user and
> consumer have to complete the login process. Rather, it's how long
> the server is allowing the user to stay logged in to the consumer
> site.
>
> Having the valid_to time set at only one minute into the future is
> awful. It requires all spec-compliant consumers to re-authorize the
> user every minute. This is really strange behavior on the part of an
> openid server, as it guarantees that it will constantly be hammered
> with checkid_* requests from consumers that have followed the spec.
>
> Please up this to a more useful value. An hour seems like the
> absolute minimum useful time. A day sounds like a reasonable choice
> at the low end. A week doesn't seem unreasonably long.
>
> I know we're not the only ones who've run into this and thought it's a
> very strange decision.
>
> Carl
>
>
More information about the yadis
mailing list