Once more, LJ valid_to timespan.

Martin Atkins mart at degeneration.co.uk
Sat Jul 2 02:58:46 PDT 2005


Jean-Luc Delatre wrote:
> 
> But that just means you don't have any login logic of your own, relying 
> upon the OpenID server to keep authenticating every incoming post.
> I guess that should not be the target case.
> If a consumer is in need of some authentication and request OpenID 
> services it should then take charge of a true login session and handle 
> that with whatever means it sees fit, session cookie, IP + expiration or 
> any other hack.
 >

You want a session cookie for a guestbook? :)

A guestbook *is* one-shot, and completely stateless consumers like this 
were an accepted application in the spec. That is why there's a "dumb 
consumer" mode.

The guestbook could potentially be rewritten to only do the auth step 
once and put some kind of token in the form which it then validates 
itself. That's starting to get a little more complicated than I think a 
guestbook or simple blog comments app should get, though.

Another workaround would be to only do the auth on the final submission, 
but that means the user won't get an auth error until after the comment 
has been submitted, by which time they've already wasted time typing it 
all out.



More information about the yadis mailing list