On Mon, Feb 1, 2010 at 9:54 PM, Michael A. Peters <mpeters@xxxxxxx> wrote: > Daevid Vincent wrote: > >> >> >>> -----Original Message----- >>> From: Al [mailto:news@xxxxxxxxxxxxx] Sent: Monday, February 01, 2010 >>> 12:09 PM >>> To: php-general@xxxxxxxxxxxxx >>> Subject: OpenID >>> >>> This is a bit off subject, but.... >>> >>> What is your opinion on OpenID? >>> >> >> Failed gimick. Tried to resurface again about a year ago. Still seems like >> failure. >> > > ++ > > Session ID hijacking is bad enough, it gives the malicious user access to > one resource. > > OpenID hijacking gives the malicious user access to a ton of resources. > And what does a user do when their OpenID provider disappears? > > I think Michael hit the nail on the head as far as my concerns are.. well.. concerned. :) Google's OpenID provider seems like it would be around forever and whatnot, but if you're going to rely on one of the "big" OpenID providers, then it would appear that OpenID itself is useless. Facebook's OpenID, etc., are on shaky ground at best. I use a few sites that leverage OpenID as their login process, and I've got to say--it's very convenient. However, I only use my Google account for OpenID logins, so to me, it's really just a Google connector. I commend everyone involved for their effort, but I think the underlying principles need to be re-examined. It feels like they rushed the whole concept into production before too many of the fundamental issues had been discussed and dealt with. My 2c. // Todd
