OpenId + remember me / staying logged in

Question

I have a question as to how / what the best approaches are to using OpenId and also providing the ability to stay logged in.

If i look at Stackoverflow for example i have logged in using Google and if i close by browser and come back it still has me as logged in.

However, i am not logged into Google and moreoever I have removed stackoverflow from the list of authorised services which have access to your Google account. I would naively expect that stackoverflow would prompt me to login again but it doesn't.

So my question is, what are the best practices regarding OpenId and remembering authenticated users across sessions?

Answer 1

OpenID is still pretty new and several relying parties are trying out new and different ways to implement OpenID. There is a work in progress best practices document for relying parties hosted by the OpenID foundation. In particular, they address the question of cookies and session lengths in their last section. Definitely an interesting idea to use persistent claimed_id cookies rather than persistent session cookies in order to make the user's life easier -- they only have to log out of their OP and close the browser.

Personally I find the behavior you're describing on StackOverflow pretty natural. If OpenID were out of the picture and you were logged into a username/password web site on two different computers with a persistent cookie (a very common scenario), and you changed your password on one, I wouldn't be surprised if the other computer still had me logged in. You could call that a security hole, but it's still normal practice. So normal in fact that Gmail recently added a display at the bottom of your Inbox screen that tells you where else you're logged in and gives you the opportunity to invalidate their session cookie.

I would suggest that a similar approach could be taken by any RP, regardless of the authentication method. And that would probably mitigate the security concern you have.