Once more, LJ valid_to timespan.
Jean-Luc Delatre
jld at club-internet.fr
Fri Jul 1 22:10:35 PDT 2005
Martin Atkins wrote:
> One case that valid_to breaks is my guestbook app, which retains no
> state but instead just does the OpenID validation step twice. The
> first happens immediately, but the second happens once the comment has
> been entered and the form submitted, which is likely to be more than
> 60 seconds later.
>
> Of course, the guestbook is totally vulnerable to replay attacks.
Tsk, tsk, tsk...
But that just means you don't have any login logic of your own, relying
upon the OpenID server to keep authenticating every incoming post.
I guess that should not be the target case.
If a consumer is in need of some authentication and request OpenID
services it should then take charge of a true login session and handle
that with whatever means it sees fit, session cookie, IP + expiration or
any other hack.
OpenID will then just provide a one shot id/password functionality to
this login logic and this whole discussion about expiring sessions and
signoff becomes irrelevant.
JLD
More information about the yadis
mailing list