SitG Admin wrote:
You have to assume that the session *will* be compromised, then, and
prepare accordingly.
Arguably, the user's session at their OP would be more resistant to
being stolen than the RP's session, so perhaps the RP should frequently
call checkid_immedidate to verify that the user is still signed into
their OP. This would require the attacker to steal the OP's session.
I believe that Facebook Connect takes the very extreme approach with
requring Connect RPs to do the equivalent of checkid_immediate on every
page view. This also has the nice benefit of enforcing single sign out
across all RPs when the user signs out of Facebook. Not sure if this is
the solution that OpenID should go with, however, it's certainly
interesting.
Allen
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
