Once more, LJ valid_to timespan.

Brad Fitzpatrick brad at danga.com
Fri Jul 1 10:08:45 PDT 2005

On Fri, 1 Jul 2005, Richard 'toast' Russo wrote:

> On Fri, 1 Jul 2005, Carl Howells wrote:
> > Once again, I'd like to bring up LJ's openid server's return valid_to. It's
> > still set only one minute in the future.  I believe that shows a
> > misunderstanding of the spec, and should be corrected.
> >
> > As I understand the spec (and others have agreed with my interpretation), the
> > valid_to date is NOT how long the user and consumer have to complete the
> > login process.  Rather, it's how long the server is allowing the user to stay
> > logged in to the consumer site.
> >
> > Having the valid_to time set at only one minute into the future is awful.  It
> > requires all spec-compliant consumers to re-authorize the user every minute.
> > This is really strange behavior on the part of an openid server, as it
> > guarantees that it will constantly be hammered with checkid_* requests from
> > consumers that have followed the spec.
> >
> > Please up this to a more useful value.  An hour seems like the absolute
> > minimum useful time.  A day sounds like a reasonable choice at the low end.
> > A week doesn't seem unreasonably long.
> >
> A week seems pretty unreasonably long to me.  Especially if you're not
> using session cookies. That allows plenty of time for me to log out of
> livejournal, and my roomate to get on my computer and use some other site
> pretending to be me.  And maybe not even realize it.  (If we're friends,
> and we both go to the same meme site because one of our common friends
> suggested it).  Since OpenID provides single sign on (effectively), it's
> not unreasonable for users to expect single sign off.
> One minute is probably too little.  15 minutes to an hour would be my off
> the cuff recommendation.

I don't think the OpenID server should dictate it... the user should
choose when they log into their next site.

LiveJournal, for instance, lets people choose between "this browser
session" and "forever" (which requires them to log off at some point).

So I'm bound to either ignore valid_to on LiveJournal, and/or set my
OpenID server's valid_to to like 1 month.

- Brad

More information about the yadis mailing list