No way to expire existing sessions
Bug #712698 reported by
Francis J. Lacoste
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache OpenID |
New
|
Undecided
|
Unassigned |
Bug Description
We currently set the session lifetime to 1h. This basically means that we have to do the OpenID dance several time a day for sites that are protected using this module. This is significant friction. But since there is no way to revoke existing sessions, it's the only way to enforce security.
There should be a way to either selectively force a new session, or a way to trash all sessions. That would enable us to raise the default session lifetime.
To post a comment you must log in.
Concretely we need to solve this use case: "person with privilege leaves the team". One way would be to have a means to reset all the nonces, so that everyone logs in again. E.g. this might be as simple as 'apachectl restart'.
Once we have this, we can increase the nonce lifetime for Canonical apacheopenid sites, which will make many folk happy happy happy.