Auto-login is currently a feature for trusted sites only and cannot be controlled by our users for their favourite sites. We also implemented check_immediate for trusted sites in bug #449708. We should add a feature to enable users to auto-login to any site they visit and subsequently control these settings.
Some initial suggestions:
* Limit server-controlled auto-login to trusted SSO sites (see bug #600224) ie: all trusted SSO sites automatically get auto-login - it doesn't have to be enabled because it's assumed to be part of the full SSO experience.
* Add a "Log me in to this site automatically" checkbox near the login button on the openid confirmation page. This should be unchecked by default. When checked, subsequent logins should happen using the existing auto-login code, except...
* If the information requested by the consumer is added to (not removed from - we don't need to inform the user of less info than originally approved being sent) then we should not auto-login. The new info will be clearly identified (see bug #121533). The "Log me in to this site automatically" checkbox should be checked by default so the auto-login continues to work next time, unless the user changes their mind.
* We should add a "Sites" view which enables the user to manage all sites they have logged in to, ever (so it should be paged, sorted by last login date). This should enable them to set whether they can auto-login to the site with a checkbox.
* A site which can auto-login should also be able to do check_immediate as long as the requested info isn't added to since auto-login was set. Otherwise, it should respond negatively forcing the user to have to confirm the change as described above.
* Question: Should a user be able to change their auto-login preference for a server-set auto-login (ie: trusted SSO site)?