Want to insist on a recent login

Grant Monroe grant.monroe at gmail.com
Mon Jul 18 12:01:20 PDT 2005 

I could see one potential solution being a force option. In other
words, the consumer could specify that the identity server force a
password check rather than relying on the users cookies.

On 7/18/05, Dave Hinton <dah at thereaction.co.uk> wrote:
> Xageroth Sekarius wrote:
> 
>  > Nothing stops consumers from attaching additional passwords to
> OpenID's.
> 
> The point here is that the Consumer web site does not want to force the
> End User to remember yet another password.
> 
> 
> 
> Martin Atkins wrote:
> 
>  > Also, I don't think I'd want to depend on OpenID for anything
> involving
>  > my finances. If you do that, you're putting a lot of trust in your
>  > identity provider and your identity server. Even if both of these are
>  > you, do you really want to chance your website getting attacked
> somehow?
> 
> The current situation is that End User's are putting a lot of trust in
> their e-mail providers, as most web sites (including e-commerce web
> sites) will e-mail your password to you, in the clear.  And e-mail
> servers are subject to attack too.
> 
> 
>  > I don't understand how you propose to fix this, though. You can't
> force
>  > the homesite to log out, since the user might still be using it or
>  > another site despite not using yours right now.
> 
> I don't want to force the Server to log out the End User.
> 
> Instead of the Consumer web site having to ask "Is this browser logged
> in as X?", I would like it to have the option of asking "Is this
> browser logged in as X, and did they log in within the last Y period of
> time?"  If the End User hasn't logged in that recently, they should be
> asked to log in again (re-enter their password), but if they don't,
> they shouldn't be logged out of the Server.  All that should happen
> then is that the Server answers "No" to the Consumer.
> 
> 
>  > Am I right in thinking that you want to have the OpenID request
> include
>  > an inactivity limit?
> 
> No, and I agree with you that that would put an unreasonably onerous
> burden on the Server.
> 
> I am asking that it include a maximum time since the End User's
> identity was verified (password entered).  The Server can easily store
> the last time the End User entered their password in the login cookie;
> it doesn't require writing to a database.
> 
> Perhaps some Server's don't want to keep track of when the End User
> last entered their password; maybe they should be able to tell the
> Consumer web site "No, and I don't keep this information" so that the
> Consumer can tell the End User they can't log in using that Identity.
> 
>

More information about the yadis mailing list