Once more, LJ valid_to timespan.
meepbear *
meepbear at hotmail.com
Sun Jul 3 11:43:23 PDT 2005
Wouldn't something similar to cookie expiration times work?
valid_to:0 = valid until the user closes their browser (or the consumer's
session cookie expires, whichever comes first)
IMO it would be more in line with how the user expects things to work and
similar to the behavior they're used to with checking/unchecking "Remember
my password".
If they choose "Allow this site to ID me only once" they're most likely
expecting to only be asked again the next time they visit the site so if
they choose that option the server could return "valid_to:0".
If they choose "Always allow this site..." the server can return a
"valid_to" to however long it wants. If the user comes back to the site
while "valid_to" hasn't expired, they're good for the rest of the session,
if it has expired the consumer contacts the server again.
In the first case, logoff happens when the browser closes (possibly earlier,
but definitely then), in the second case there is a delayed logoff. Should
the user decide to logoff from the main site (livejournal.com for instance)
then logoff occurs at the consumers anywhere from instantly to however long
in the future the server sets "valid_to".
(On a slightly related subject, why does check_authentication have a
lifetime while everything else has timestamps?)
More information about the yadis
mailing list