OpenID Single-Sign-Off

Troy Benjegerdes hozer at
Fri Jul 1 17:41:36 PDT 2005

On Sat, Jul 02, 2005 at 12:57:19AM +0100, Martin Atkins wrote:
> Kristopher Tate wrote:
> >
> >If we are never going to propose or accept a single sign-off mode, then 
> >atleast we need standards/guidelines written in the spec explaining good 
> >practices for both ID servers and consumers to deal with session data.
> >
> I think this is the most workable approach. Fix this as a social/policy 
> problem, rather than a technical one.
> Some guidelines for consumers as a start:
> * Make OpenID logins default to "until browser closes" cookies. 
> Optionally allow users to switch to a more permanent mode if they wish. 
> (Server-side, this could be implemented in a number of ways which we 
> shouldn't try to force.)
> * Make it obvious to a user that they are logged in and which identity 
> they are logged in as at all times, or at least wherever possible.

Some of this is good, but I for one, want to be able to run my own
openid server, and have my openid logins expire after a few minutes
(maybe 5) so that I have logs on my openid server of all the consumers
that think I am logged in. This way, if someone hijacks cookies or a
plain http session someplace, I'd at least know about it on my openid
server, which would use some other more secure mechanism (which only
goes between my client browser and my openid server) to transparently
re-authenticate me when openid client site logins expire.

More information about the yadis mailing list