Want to insist on a recent login
grant.monroe at gmail.com
Mon Jul 18 12:01:20 PDT 2005
I could see one potential solution being a force option. In other
words, the consumer could specify that the identity server force a
password check rather than relying on the users cookies.
On 7/18/05, Dave Hinton <dah at thereaction.co.uk> wrote:
> Xageroth Sekarius wrote:
> > Nothing stops consumers from attaching additional passwords to
> The point here is that the Consumer web site does not want to force the
> End User to remember yet another password.
> Martin Atkins wrote:
> > Also, I don't think I'd want to depend on OpenID for anything
> > my finances. If you do that, you're putting a lot of trust in your
> > identity provider and your identity server. Even if both of these are
> > you, do you really want to chance your website getting attacked
> The current situation is that End User's are putting a lot of trust in
> their e-mail providers, as most web sites (including e-commerce web
> sites) will e-mail your password to you, in the clear. And e-mail
> servers are subject to attack too.
> > I don't understand how you propose to fix this, though. You can't
> > the homesite to log out, since the user might still be using it or
> > another site despite not using yours right now.
> I don't want to force the Server to log out the End User.
> Instead of the Consumer web site having to ask "Is this browser logged
> in as X?", I would like it to have the option of asking "Is this
> browser logged in as X, and did they log in within the last Y period of
> time?" If the End User hasn't logged in that recently, they should be
> asked to log in again (re-enter their password), but if they don't,
> they shouldn't be logged out of the Server. All that should happen
> then is that the Server answers "No" to the Consumer.
> > Am I right in thinking that you want to have the OpenID request
> > an inactivity limit?
> No, and I agree with you that that would put an unreasonably onerous
> burden on the Server.
> I am asking that it include a maximum time since the End User's
> identity was verified (password entered). The Server can easily store
> the last time the End User entered their password in the login cookie;
> it doesn't require writing to a database.
> Perhaps some Server's don't want to keep track of when the End User
> last entered their password; maybe they should be able to tell the
> Consumer web site "No, and I don't keep this information" so that the
> Consumer can tell the End User they can't log in using that Identity.
More information about the yadis