Comment 2 for bug 1040901

The bad line is in auth_openid/controllers/main.py:47:

_storedir = os.path.join(tempfile.gettempdir(), 'openerp-auth_openid-store')

It means that the openid store is shared between several system users, which might have security implications, as stated by the openid doc (openid/consumer/consumer.py)::

    Since the store does hold secrets shared between your application and the
    OpenID provider, you should be careful about how you use it in a shared
    hosting environment. If the filesystem or database permissions of your
    web host allow strangers to read from them, do not store your data there!
    If you have no safe place to store your data, construct your consumer
    with C{None} for the store, and it will operate only in stateless mode.
    Stateless mode may be slower, put more load on the OpenID provider, and
    trusts the provider to keep you safe from replay attacks.

I'm not sure just now how to fix this for a multiprocess gunicorn environment, but it should be doable.

I would definitely not classify this issue as invalid because it prevents OpenERP from working as expected in a multiuser environment as any unix application.