mart at degeneration.co.uk
Fri Jul 1 16:57:19 PDT 2005
Kristopher Tate wrote:
> If we are never going to propose or accept a single sign-off mode, then
> atleast we need standards/guidelines written in the spec explaining good
> practices for both ID servers and consumers to deal with session data.
I think this is the most workable approach. Fix this as a social/policy
problem, rather than a technical one.
Some guidelines for consumers as a start:
* Make OpenID logins default to "until browser closes" cookies.
Optionally allow users to switch to a more permanent mode if they wish.
(Server-side, this could be implemented in a number of ways which we
shouldn't try to force.)
* Make it obvious to a user that they are logged in and which identity
they are logged in as at all times, or at least wherever possible.
More information about the yadis