#74 ✓resolved
Daniel

Updating self.openid_identifier to server returned value

Reported by Daniel | April 2nd, 2009 @ 11:20 AM

Hi Ben,

Thanks for addressing the issue of setting self.openid_identifier to the server returned value; however, it appears that the solution currently implemented would update the user's openid_identifier every time the user logged in. It seems to me that this should only be updated when the user is creating an account or changing their OpenID.

Updating the openid_identifier each time seems to me to be a (however small) security hole, in that people create accounts and change their OpenID relatively infrequently, but sign in frequently. So if ever an OpenID provider were compromised, it could be used to change the OpenIDs of existing users whenever they logged in, thereby giving the attacker account access via the OpenID he provided.

Thank You,

Daniel

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Tags

Pages