This feed contains pages in the "openid" category.

There are a LOT of websites nowadays that assume that cookies are stored. In fact there are way too many websites relying on cookies for information that should have never been stored in a cookie anyway. Good examples of these are websites that store language settings in session data without making sure that the session data is relayed to the next page if the cookie hasn't been confirmed.

Luckily PHP and friends have automated ways of adding session IDs to the URL. This is not always a good thing and it allows the programmer to forget about cookies and sessions. The downside of this is that a lot of websites have cookies/sessions for stuff that never needed a session. Just because it's convenient to have the session around instead of creating a new session when it's required.

Internal website problems are easy to spot and fix. What usually gets overlooked are the external components. Captcha, various forms and OpenID use interfaces outside of the normal code paths and are easily overlooked. Captchas are the more common ones, where external code assigns a text string to the session information that the website then reads. If the captcha application doesn't get the session information it will usually happily create a new session, a different from the session the user already has, and stores the data there.

OpenID has a different type of problem, since the login is relayed to a third party the third party has to be informed about the session present on the originating website. This could be done by passing the session ID in the return URL sent to the provider. The provider would handle the login as normal and pass on the URL with the session ID back to the client. The problem is that passing the session ID to a third party is a security risk. If the originating website doesn't apply proper session restrictions the running session could easily be hijacked. This is not the only way how a session could be hijacked so applying such restrictions is a good idea in any case.

Only viable solution here would be to create an one time return URL for the OpenID provider that doesn't include the session ID. This return URL would be valid only after a successful login on the provider. This way the return URL would be valid only a short period of time at once.

Other good reading about OpenID and security: OpenID: Phishing Heaven

Posted Wed Aug 15 09:11:05 2007 Tags: openid

From time to time it's good to see technology doing what it's supposed to do. Ever since I started experimenting with OpenID I've started to like it more and more.

Today I switched OpenID providers since my previous favourite started having DNS problems. Since this is something that is expected with OpenID there is no real problem in changing providers. I just modify my identity page to reflect the new provider info and all sites I used to use work just normally. Naturally there are exceptions to this, Commongate is one of the sites that bind to the provider, so the next time I log in I will get yet another identity to that site.

So now I'm using MyOpenID which provides a slick way to log in to my account. I can use the traditional username/password method or an SSL certificate. I love the freedom to choose!

Posted Sat Apr 21 23:47:33 2007 Tags: openid

I have some strong opinions about forums. It's not that they aren't useful in many ways. It's the fact that forums are pain to navigate. Just look at this list on Firefox Add-ons.

So if forums are so bad, why are they more popular than ever. Mostly because they are easily accessible. Anyone with a web browser can access them. There are things that bother me, some are being addressed and some tried to be addressed in the past. I'll address a few problems here:

Logins are a web wide problem. Just about every site out there has separate login. Bulletin boards are no exception. Luckily there is a new standard in the works that is addressing this. Yes, I'm talking about OpenID. For example there is the phpbb-openid, which is a plugin for phpbb that allows one to log in with OpenID. So yes, I see this problem going away in future.

Navigation is hell with forums. This is usually a design error, but It's interesting to notice that even commercial forums suffer from this problem. There were some projects to address this. Like the forumzilla project, which is an extension to thunderbird that tries to present forums as structured mailboxes. This is the biggest problem with all forums and I don't see this improving.

Tracking new content is never easy. With mailing lists we have threads that extend to multiple levels. With blogs we have RSS. So what do we have for forums, threads and RSS. One could think that everything is just fine, but It's not. When you combine threads with RSS you get a huge mess. Now you can select if you want to see new messages or new threads. Neither of these will help you track the contents in the forum. So what you are left with is manual polling and when you combine manual polling with the navigation mess, you usually want to take your life before too long.

Forums are a good medium, but when ever I run in to one I get the urge to hurt myself. Forums work quite well if you are willing to put some serious effort in to tracking them. But for a casual visitor like me forums are usually the final straw.

Posted Sun Mar 25 22:10:43 2007 Tags: openid