|
cosign-discuss at umich.edu |
| general discussion of cosign development and deployment | |
On 25 Mar 2005, at 15:59, Cory Snavely wrote:
[...]
I think there should be a "this isn't me--log on as a different person" button. Not quite sure how to word that, but I think it's needed to help the innocent victim.
Good idea. Let's add a button/text. If the user selects this path, they will logout the previous user, and be redirected back to the URL. Since the URL required (unsatisfied) reauthN, there should be no cached cookies, the "CHECK" will fail, a new service cookie will be set, and a login will be triggered.
>>[...]
So, I would propose that service-side forcing of authen--IOW, forcing authen *after* a service cookie exists--be considered a case of the "authen timeout" feature that has been discussed before. I would conceive this as Apache directives that specify pairs of regexps and time thresholds that the local cosign module enforces by ignoring the service cookie if the age of authen falls outside the allowable parameters. Set it to 15 seconds for a regexp that matches your VISA card entry page URL; set it to 10 minutes for a regexp that matches the whole financial module of your application.
As of 1.7.x, cosign service cookies have timeouts. Currently, they are server-wide, but it could be moved to a directory/location.
Thanks, Cory