Why We Don't Do Prelogin

From The Socknet

Jump to: navigation, search

Prelogin, the ability for a user to click a link on his provider and arrive at a foreign website in a logged-in state, is a concept that's been considered modestly.

It is no longer being pursued because it adds a layer of complication to the system. While providers work hard to ensure that links do not become public unless they are meant to be public, users are not so fastidious.

The system would be exactly that: a link with some special code which leads to a logged-in state. If this becomes public, the user is in immediate danger of identity theft on an unknown scale.

More importantly, OpenID already does login very well. URL Processing describes a system that helps services identify the user's OpenID. Once a service knows a user's OpenID, it can log him in quickly.

In most cases, the user will already be logged into his OpenID provider (many OpenID providers keep users logged in for long periods of time), so the only action required, if any, is to click the "Yes log me into service X" button. After the user has done this once, he might never need to see the request again. This mechanism is safe and easy to use.

So no extra mechanism is necessary.

Retrieved from "http://www.socknet.net/w/Why_We_Don%27t_Do_Prelogin"
Personal tools