Dick Hardt wrote:
Given that we want to provide a similar flow, but the authentication is
now done by the OP, what does Amazon do if the user pauses right after
re-authenticating, but before completing the purchase?
You can pause for quite a long time, I would assume twenty minutes.
From the behavior I conjecture that Amazon has low privilege cookies
that never time out for interacting with the user, and high privilege
cookies for buying stuff that after a while get deprivileged. If you
want to buy stuff, you need a high privilege cookie.
In which case, the request should tell whether it wants to create a high
privilege or low privilege cookie, and the OP then considers whether it
has recently granted a high privilege authentication. If it has
recently granted a high privilege authentication, promptly grants
another, otherwise forces user to re login.
This account of the algorithm is theory based on casual observation,
which theory needs testing.
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
