Allen Tom wrote:
I believe that Facebook Connect takes the very extreme approach with requring Connect RPs to do the equivalent of checkid_immediate on every page view. This also has the nice benefit of enforcing single sign out across all RPs when the user signs out of Facebook. Not sure if this is the solution that OpenID should go with, however, it's certainly interesting.
I may be mistaken, but I believe the Facebook Connect check on every page is not a security feature but rather a UX feature. Its purpose is to keep the session state on the "RP" consistent with the session state on Facebook to avoid strange situations where the RP presents information from both backchannel API requests and client-side API requests and these two actually represent different users.
However, it cannot be relied upon as a security feature without additional protections because an attacker can simply prevent his user agent from making the request to Facebook and thus keep the RP session active. (You could potentially supplement this with additional backchannel checks to ensure that the client-side request actually ran, but as far as I'm aware Facebook Connect does not offer this today.)
In other words, it presents the illusion of single sign-out. It does not, however, provide the security benefits of single sign-out. I cannot simply log out of Facebook and assume that my session at RP sites has also ended.
If I'm mistaken about this I'm happy to be corrected. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
