Once more, LJ valid_to timespan.
mart at degeneration.co.uk
Sat Jul 2 02:58:46 PDT 2005
Jean-Luc Delatre wrote:
> But that just means you don't have any login logic of your own, relying
> upon the OpenID server to keep authenticating every incoming post.
> I guess that should not be the target case.
> If a consumer is in need of some authentication and request OpenID
> services it should then take charge of a true login session and handle
> that with whatever means it sees fit, session cookie, IP + expiration or
> any other hack.
You want a session cookie for a guestbook? :)
A guestbook *is* one-shot, and completely stateless consumers like this
were an accepted application in the spec. That is why there's a "dumb
The guestbook could potentially be rewritten to only do the auth step
once and put some kind of token in the form which it then validates
itself. That's starting to get a little more complicated than I think a
guestbook or simple blog comments app should get, though.
Another workaround would be to only do the auth on the final submission,
but that means the user won't get an auth error until after the comment
has been submitted, by which time they've already wasted time typing it
More information about the yadis