[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] IdP Discovery
Jeff Hodges wrote: > Cahill, Conor P wrote: > > > > I can tell you that the original intent was to use a persistent cookie > > as the cookie data did not indicate session status but instead > > indicated recently-used IdP(s). > > fyi/fwiw, that, as I recall, was our first-order assumption wrt the > "common domain cookie" (CDC), i.e. that use of a persistent cookie would > yield by default the most useful behavior in most of the use cases we > were imagining. hm. what I wrote above might be putting it a little strong, after re-reading the sections I cited in prior note, especially wrt "...most of the use cases we were imagining." Because we noted user experience aspects such as (from previously cited NOTE in the Arch Overview).. The implications with a session cookie are that it will disappear from the user agent cookie cache when the user logs out (although this action would have to be explicitly implemented) or when the user agent is exited. This feature may inconvenience some users. However, whether to use a session or a persistent cookie could be materialized to the user at identity provider login time in the form of a Remember Me checkbox. If not checked, a session cookie is used; if checked, a persistent one is used. And we noted this in the Impl Guidelines (sec 2.1).. Additionally, persistent cookies should be used only with the consent of the user. This consent step allows, for example, a user at a public machine to prohibit a persistent cookie that would otherwise remain in the user agent’s cookie cache after the user is finished. Of course, various folks working on the specs likely had their own particular use-cases in mind at the time, and so would remember things as being one way or another. That was true with me in that I thought, "oh yeah we were thinking persistent cookies..." along with Conor, before I went thru the specs. In any case, I'm glad to note that we obviously in fact considered a broad approach to the tradeoffs and use cases (fwiw). =JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]