Once more, LJ valid_to timespan.

Jean-Luc Delatre jld at club-internet.fr
Fri Jul 1 22:10:35 PDT 2005

Martin Atkins wrote:

> One case that valid_to breaks is my guestbook app, which retains no 
> state but instead just does the OpenID validation step twice. The 
> first happens immediately, but the second happens once the comment has 
> been entered and the form submitted, which is likely to be more than 
> 60 seconds later.
> Of course, the guestbook is totally vulnerable to replay attacks. 

Tsk, tsk, tsk...

But that just means you don't have any login logic of your own, relying 
upon the OpenID server to keep authenticating every incoming post.
I guess that should not be the target case.
If a consumer is in need of some authentication and request OpenID 
services it should then take charge of a true login session and handle 
that with whatever means it sees fit, session cookie, IP + expiration or 
any other hack.
OpenID will then just provide a one shot id/password functionality to 
this login logic and this whole discussion about expiring sessions and 
signoff becomes irrelevant.


More information about the yadis mailing list