tags:

views:

289

answers:

2
+3  Q: 

OpenId + remember me / staying logged in

I have a question as to how / what the best approaches are to using OpenId and also providing the ability to stay logged in.

If i look at Stackoverflow for example i have logged in using Google and if i close by browser and come back it still has me as logged in.

However, i am not logged into Google and moreoever I have removed stackoverflow from the list of authorised services which have access to your Google account. I would naively expect that stackoverflow would prompt me to login again but it doesn't.

So my question is, what are the best practices regarding OpenId and remembering authenticated users across sessions?

+1  A: 

Stack overflow probably uses a cookie to remember you as user number xyz or session id 1234. After authentication, OpenID has nothing at all to do with the session anymore. SO doesn't have the ability to see if you are still logged in to Google so this seems only natural.

Gerco Dries  2009-06-04 11:36:32
i understand/ appreciate it is using its own cookie but i would expect that at least some periodic check would be made against google since i have removed stack overflow from the list of authorized services against my google account. Under this setup someone could quite easily come and use my machine and post content within stack overflow when i have said that i don't want this to happen in Google.
jamie  2009-06-04 11:47:35
You have indicated that you don't want stack overflow to authenticate to your google account anymore. It's not authenticating because you already did that some time ago.What you want impossible without requiring you to log in again periodically.
Gerco Dries  2009-06-04 11:54:17
jamie  2009-06-04 12:07:53
+2  A: 

OpenID is still pretty new and several relying parties are trying out new and different ways to implement OpenID. There is a work in progress best practices document for relying parties hosted by the OpenID foundation. In particular, they address the question of cookies and session lengths in their last section. Definitely an interesting idea to use persistent claimed_id cookies rather than persistent session cookies in order to make the user's life easier -- they only have to log out of their OP and close the browser.

Personally I find the behavior you're describing on StackOverflow pretty natural. If OpenID were out of the picture and you were logged into a username/password web site on two different computers with a persistent cookie (a very common scenario), and you changed your password on one, I wouldn't be surprised if the other computer still had me logged in. You could call that a security hole, but it's still normal practice. So normal in fact that Gmail recently added a display at the bottom of your Inbox screen that tells you where else you're logged in and gives you the opportunity to invalidate their session cookie.

I would suggest that a similar approach could be taken by any RP, regardless of the authentication method. And that would probably mitigate the security concern you have.

Andrew Arnott  2009-06-04 16:50:49

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?