Once more, LJ valid_to timespan.

Carl Howells chowells at janrain.com
Fri Jul 1 14:28:04 PDT 2005 

Richard 'toast' Russo wrote:
> 
> A week seems pretty unreasonably long to me.  Especially if you're not 
> using session cookies. That allows plenty of time for me to log out of 
> livejournal, and my roomate to get on my computer and use some other 
> site pretending to be me.  And maybe not even realize it.  (If we're 
> friends, and we both go to the same meme site because one of our common 
> friends suggested it).  Since OpenID provides single sign on 
> (effectively), it's not unreasonable for users to expect single sign off.

Perhaps it's true that it's not unreasonable for users to expect single 
sign off.  However, the mechanism you're proposing seems an awkward way 
to do it.  What should happen at the OpenID consumer site, 15 minutes 
after you first log in, when the id_res token expires?

I see two possibilities.

First, the site kills whatever you were doing, and sends you to a login 
screen to log in again.  This obviously has some issues.  It's really 
intrusive, every time it blows up and you have to enter your openid url 
again.

So, the second possibility is to automatically try to log the user in 
again using the same identity url.  But that still has a bunch of 
issues.  If you had just finished typing up a long entry to a bulletin 
board or wiki, how do you keep it from getting lost?  Sure, you can note 
what the user was doing, and store it somewhere pending 
reauthentication.  But what if the user was typing an entry and then 
attaching a ten megabyte file to it?  It seems there are reasonable 
use-cases which make the storage cost of putting the user's request into 
temporary holding quite high.  Additionally, it's just a much more 
complicated thing to do than a lot of small sites will be willing to 
implement.

It seems that the underlying issue with using very low token expiration 
times to implement single signoff is that you are essentially creating a 
polling system to detect signoff.  Something like that creates a lot of 
unnecessary traffic, and might be a real issue for some higher-use id 
servers.

I don't know if there is any real relevance in this discussion at this 
point, since it depends on how the larger debate over this goes.  Even 
so, I think a polling approach to single signoff isn't the way to go.

Carl

More information about the yadis mailing list