OpenId +记住我/保持登录状态 [英] OpenId + remember me / staying logged in

问题描述

我有一个问题，如何/什么最好的方法是使用OpenId，并提供保持登录的能力。

I have a question as to how / what the best approaches are to using OpenId and also providing the ability to stay logged in.

如果我看Stackoverflow示例我已使用Google登录，如果我通过浏览器关闭并返回，仍然有我登录。

If i look at Stackoverflow for example i have logged in using Google and if i close by browser and come back it still has me as logged in.

但没有登录到Google，以及我从已访问您的Google帐户的授权服务列表中删除 stackoverflow。我会天真地期望stackoverflow将提示我重新登录，但它不。

However, i am not logged into Google and moreoever I have removed stackoverflow from the list of authorised services which have access to your Google account. I would naively expect that stackoverflow would prompt me to login again but it doesn't.

所以我的问题是，关于OpenId的最佳做法是什么，并记住跨会话的验​​证用户？

So my question is, what are the best practices regarding OpenId and remembering authenticated users across sessions?

推荐答案

OpenID仍然很新，几个依赖方正在尝试新的和不同的方法来实现OpenID。有一项正在进行的工作由OpenID托管的信任方的最佳做法文档基础。特别是，他们在最后一节中解决了Cookie和会话时长问题。 a>。绝对是一个有趣的想法，使用持久的claim_id cookie而不是持久会话cookie，以使用户的生活更轻松 - 他们只需要注销其OP并关闭浏览器。

OpenID is still pretty new and several relying parties are trying out new and different ways to implement OpenID. There is a work in progress best practices document for relying parties hosted by the OpenID foundation. In particular, they address the question of cookies and session lengths in their last section. Definitely an interesting idea to use persistent claimed_id cookies rather than persistent session cookies in order to make the user's life easier -- they only have to log out of their OP and close the browser.

个人我发现你在StackOverflow描述的行为很自然。如果OpenID出来的图片，你登录到一个用户名/密码网站在两个不同的计算机上持久的cookie（一个很常见的情况），你改变了你的密码，我不会感到惊讶，如果其他计算机仍然让我登录。您可以称之为安全漏洞，但它仍然是正常的做法。 Gmail最近在收件箱屏幕底部添加了一个显示屏，告诉您您登录的位置，并让您有机会使其会话Cookie无效，这一点非常正常。

Personally I find the behavior you're describing on StackOverflow pretty natural. If OpenID were out of the picture and you were logged into a username/password web site on two different computers with a persistent cookie (a very common scenario), and you changed your password on one, I wouldn't be surprised if the other computer still had me logged in. You could call that a security hole, but it's still normal practice. So normal in fact that Gmail recently added a display at the bottom of your Inbox screen that tells you where else you're logged in and gives you the opportunity to invalidate their session cookie.

我建议任何RP都可以采用类似的方法，不管认证方法如何。这可能会减轻您的安全问题。

I would suggest that a similar approach could be taken by any RP, regardless of the authentication method. And that would probably mitigate the security concern you have.

这篇关于OpenId +记住我/保持登录状态的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！