Want to insist on a recent login

[Martin Atkins]

Martin Atkins wrote:
> 
> Unless I'm misunderstanding you, this is already possible. Once the
> one-time OpenID login has taken place, it's up to the consumer what kind
> of session — if any — is created. There's no reason at all why you
> couldn't have the session only last a certain amount of time if that was
> appropriate for your site, but you would of course have the tricky issue
> of what to do once the user's session expires: What if the user comes
> back and hits a submit button on a form? Can you maintain the form
> values while the browser does the OpenID dance or is the user going to
> have to start again?
> 

Mulling this over, I suppose redoing the OpenID request doesn't really
help since the user is probably still logged into the homesite and so
the "attacker" can just hit "Yes, approve this site!" and it'll log in
again.

I don't understand how you propose to fix this, though. You can't force
the homesite to log out, since the user might still be using it or
another site despite not using yours right now.

Am I right in thinking that you want to have the OpenID request include
an inactivity limit? This seems like an unreasonable burden to put on
identity servers, for several reasons:
* Most sites don't track inactivity
* Some identity servers will be completely divorced from any other kind
of service (TypeKey's for example) so they can't judge inactivity in any
reasonable manner.
* You're relying on the ID server to look after the consumer's concerns,
so you've got no idea whether the server actually bothered to check. It
might just be saying "uuh... yes... sure, he's still here I guess". Even
if it's in the spec, you can guarantee that there will be ID servers
that don't support it and consumers will be unable to distinguish.
* If the user is using your site, he's probably not using the homesite
simultaneously!

If I've missed the point completely, please let me know. :)