What happens after authenticating using openid? In a simple case, the user-agent is redirected to OpenID provider(OP). After optionally login to the OP, the user-agent again returns back to consumer page which is mentioned in the 'openid.return_to'. Now the consumer also verified and sent back a '200 ok' response.
Now my question is wh开发者_C百科at the user-agent should provide for the subsequent access to the consumer page. When returning 200, a cookie will be returned along with it? If so, what will be the content of that cookie? and every time the browser attach the cookie to access any page on the consumer domain?
What happens if the cookie is stolen? Can someone impersonate me by using the cookie?
As far as I know there is no cookies. At least not from the provider. OpenID providers don't actually manage you login sessions. They just tell you how actually singed in. You then associate that with a user in for example you database and manage your sessions as you see fit.
精彩评论