Hi,
I'm building a web2.0 social networking app. I've got jquery and tomcat. I don't want to use tomcat sessions at all, but still want secure login. So I'm looking at openid, like used in stackoverflow. I want to build my own ui, so I assume I use the openid libraries.
My question is, assuming that a persistent cookie is left in the user's browser after login authentication, how do I protect against hijacking that cookie and my internal login id to prevent spammers from posting to my site in the name of a hijacked user?
Do I somehow combine with tomcat sessions?
NOTE: only limited captcha allowed in my webapp. Don't want to force user to prove he's not a robot on each post, yet I want to be sure that he's not a robot, while depending on openid.
Andy