Once more, LJ valid_to timespan.

meepbear * meepbear at hotmail.com
Sun Jul 3 11:43:23 PDT 2005

Wouldn't something similar to cookie expiration times work?

valid_to:0 = valid until the user closes their browser (or the consumer's 
session cookie expires, whichever comes first)

IMO it would be more in line with how the user expects things to work and 
similar to the behavior they're used to with checking/unchecking "Remember 
my password".

If they choose "Allow this site to ID me only once" they're most likely 
expecting to only be asked again the next time they visit the site so if 
they choose that option the server could return "valid_to:0".

If they choose "Always allow this site..." the server can return a 
"valid_to" to however long it wants. If the user comes back to the site 
while "valid_to" hasn't expired, they're good for the rest of the session, 
if it has expired the consumer contacts the server again.

In the first case, logoff happens when the browser closes (possibly earlier, 
but definitely then), in the second case there is a delayed logoff. Should 
the user decide to logoff from the main site (livejournal.com for instance) 
then logoff occurs at the consumers anywhere from instantly to however long 
in the future the server sets "valid_to".

(On a slightly related subject, why does check_authentication have a 
lifetime while everything else has timestamps?)

More information about the yadis mailing list