Apache OpenID

No way to expire existing sessions

Bug #712698 reported by Francis J. Lacoste on 2011-02-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Apache OpenID	New	Undecided	Unassigned

Bug Description

We currently set the session lifetime to 1h. This basically means that we have to do the OpenID dance several time a day for sites that are protected using this module. This is significant friction. But since there is no way to revoke existing sessions, it's the only way to enforce security.

There should be a way to either selectively force a new session, or a way to trash all sessions. That would enable us to raise the default session lifetime.

Revision history for this message

Robert Collins (lifeless) wrote on 2011-02-03:

Concretely we need to solve this use case: "person with privilege leaves the team". One way would be to have a means to reset all the nonces, so that everyone logs in again. E.g. this might be as simple as 'apachectl restart'.

Once we have this, we can increase the nonce lifetime for Canonical apacheopenid sites, which will make many folk happy happy happy.

Revision history for this message

William Grant (wgrant) wrote on 2011-02-05:

Expiring the mod_python session cache is probably sufficient here, although bug #652877 suggests that team memberships are cached elsewhere.

In the default configuration (eg. devpad), 'rm /tmp/mp_sess.dbm' should work fine.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.