OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] IdP Discovery


Jeff Hodges wrote:
 > Cahill, Conor P wrote:
 >  >
 >  > I can tell you that the original intent was to use a persistent cookie
 >  > as the cookie data did not indicate session status but instead
 >  > indicated recently-used IdP(s).
 >
 > fyi/fwiw, that, as I recall, was our first-order assumption wrt the
 > "common domain cookie" (CDC), i.e. that use of a persistent cookie would
 > yield by default the most useful behavior in most of the use cases we
 > were imagining.

hm. what I wrote above might be putting it a little strong, after re-reading 
the sections I cited in prior note, especially wrt "...most of the use cases we 
were imagining."

Because we noted user experience aspects such as (from previously cited NOTE in 
the Arch Overview)..

   The implications with a session cookie are that it will disappear from the
   user agent cookie cache when the user logs out (although this action would
   have to be explicitly implemented) or when the user agent is exited. This
   feature may inconvenience some users. However, whether to use a session or a
   persistent cookie could be materialized to the user at identity provider
   login time in the form of a Remember Me checkbox. If not checked, a session
   cookie is used; if checked, a persistent one is used.


And we noted this in the Impl Guidelines (sec 2.1)..

   Additionally, persistent cookies should be used only with the consent of the
   user. This consent step allows, for example, a user at a public machine to
   prohibit a persistent cookie that would otherwise remain in the user agent’s
   cookie cache after the user is finished.

Of course, various folks working on the specs likely had their own particular 
use-cases in mind at the time, and so would remember things as being one way or 
another. That was true with me in that I thought, "oh yeah we were thinking 
persistent cookies..." along with Conor, before I went thru the specs. In any 
case, I'm glad to note that we obviously in fact considered a broad approach to 
the tradeoffs and use cases (fwiw).

=JeffH





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]