Minutes From Meeting Today
mailinglists at fourkitchens.com
Sat Jun 24 16:33:19 UTC 2006
Dick Hardt wrote:
> On 24-Jun-06, at 8:46 AM, David Strauss wrote:
>> There would be no issue with cookie reloading or cross-browser
>> compatibility because the invalidation would be in the OpenID consumer
>> database, not in the session-tracking cookie.
> I assumed that the app would already have a active session mechanism and
> that OpenID is used to map to an account to it. I would think it would
> be a challenge to ask people to rewrite their session management.
> The other point is that people already know how to log off (people only
> do it on critical sites) -- and if they want to log off of everything,
> they are likely done with their web session and can just quit the
> browser which will get rid of any session cookies.
> Just my opinion and experience.
> -- Dick
In the case of all of my projects, I would just delete the session
that's linked to the OpenID when getting an (authenticated) signoff
request from the OpenID server.
It's true that closing the browser removes session cookies, but most
sites I sign on to don't use session cookies; they use persistent ones
that might last up to a year or so.
Four Kitchen Studios, LLC
More information about the yadis