tags:

views:

49

answers:

2
+4  Q: 

Should I distinguish OpenIDs based on protocol prefix or not? http vs https

I have implemented a straightforward OpenID support for my ASP.NET app with DotNetOpenAuth. Yet I recently realized that the implementation was treating http://johndoe.example.com/ as a distinct user compared to https://johndoe.example.com.

This lead to quite a few confused users. I am unsure what to do at this point. Is this a bug or a feature?

Indeed, I can consider this behavior as a feature: if the user specifies the HTTPS, the user might not want the system to accept HTTP auth in the first place.

On the other hand: if the user specifies HTTPS out of sheer cluelessness (the casual web visitor is clueless concerning the purpose of the "S" part), then rejecting it's authentication attempt is confusing.

What is considered as the best practice?

A: 

Theoretically http and https identities could be different. Practically (as implemented by the providers in the real world) they shouldn't be.

StackOverflow does not differentiate between http://abdullin.myopenid.com and https://abdullin.myopenid.com, so the solution should probably work for the 99% scenarios.

Rinat Abdullin  2010-04-06 10:16:16
StackOverflow is wrong to treat them equivalently (if that's true). See Steven's answer.
Andrew Arnott  2010-04-07 23:25:07
+4  A: 

Yes - they are completely different and should be treated as so.

The recommendations to OP's is to always use https but that isn't always the case (just now).

 2010-04-06 10:38:20
Some OPs do only offer HTTPS identifiers, including Yahoo and Google, I believe.
keturn  2010-04-06 22:02:09
This is a security requirement. If HTTP and HTTPS identifiers are treated as equivalent, then HTTPS provides no greater security than HTTP, and is therefore vulnerable to DNS poisoning, which equals user identity spoofing (read: stolen identity). It is VERY important that you treat these as different identities.
Andrew Arnott  2010-04-07 23:24:50

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.