PHP4 Consumer - is there one available?

Zefiro work at zefiro.de
Tue Jul 12 09:39:05 PDT 2005


Hello, list :)

I'm new to this list, browsed the website, glanced over the specs, read a
bit in the archive and think OpenID is just great and exactly
what I could need right now. Since I've very little free time atm and it's
only a toy project it could get majorly delayed, but I though
I'd subscribe anyway.

What I ultimately want is an OpenID-Consumer for PHP4, ideally 'out of the
box'. The Wiki says there's none atm, the list archive says
there is one for PHP5. I'll take a look at this the next free weekend I
have, perhaps you could give me a few hints if there is anything
to consider?


Not having read every mail, but I still want to say a few things mentioned
in other mails. Please correct me if I missed something (url
to relevant message in the archive is sufficient)

about Using lifetime: don't use, since you can't check. valid_until in
relative amounts (seconds) is not much different than absolute
time: it's better for time sync, but still can't force user to be logged
out. This should be left _completely_ to the consumer, and made
clear to user that there IS NO single sign out (so noone can be tricked
into thinking so just because there is a valid_until)
As I understand it, OpenID just says 'the user visiting your site has
control over the URI in question *at this very moment in time*'. I see no
need for a valid_until, since actually the server itself can't really be
sure (could just implement it's own session timeout,
which actually says nothing about the OpenID-URI)

Since it's usually a bad idea to not do anything if you see no need, but
also no reason against it, I'd like to hear comments as to why
it is a good idea to pretend something about a lifetime could be said,
when in my view it can't, or risk the user assuming all consumers
would act accordingly. Perhaps someone build a somewhat strange
implementation, not using 'cookie until browser closes' but using the same
IP until end of the day or something. Sure, it's arguably not even
'broken', just strange, but could happen.

I assume all three - user, server, consumer - could be either of
normal-legitimate, hacking bad guy or just plainly idiotic (wrong
handling, but still needed)




using @: 'at' ist NOT only for SMTP. That's just the form most people know
it. @ is used in HTTP and FTP as well (even when it's
discouraged for HTTP and MS finally and ironically as only one stopped
accepting it two years ago), meaning 'user at this host'. So
Jabber is well withing the meaning, from the technical point of view.

BUT

user at example.com will almost always be seen as an email address if
displayed - and it should be, since unix way of thinking is 'user at host'
should be the same for all protocols. Even if it's abused nearly
everywhere, especially on windows where FTP- , SMTP- and
Webservers usually don't use the login usernames, but seperate list.

So I would opt for a @ if and only if it could actually handle mail.
Further, against spam bots (who potentially don't look for mailto: but
just for @) it should NOT be used. Since then when I'm actually
using my real email - as I would think is the only really 'right' way - it
would be a hard time for my 'trying to avoid spam'

(btw, I see 'user AT example DOT com' everywhere. I can't believe there's
no spammer smart enough to parse this. And to avoid even more
spam I highly discourage the use of even email-like things in OpenID. For,
given I'm sure it would be seen as such and used by spammers,
a) users (like me) who would use neat email adresses gets spam, even if
technically it was meant as OpenID and b) the amount of globally
transmitted mail, although bouncing, would heavily increase.





I haven't seen it mentioned elsewhere, but I would like to choose a
different display name than my OpenID-URI. I'm not sure if this
would ruin the whole concept, so I just mention it to be corrected. For me
it's not that big a problem - being 'zefiro.de' (implied
http://, implied index.html) is quite cool. Being 'Zefiro, the dragon'
(perhaps with link back to my OpenID-URI, which happens to be my
homepage) would be even cooler.

For me the really interesting part about OpenID is not about
pseudo-non-anonymity or 'personal identification with the OpenID-URI', but
so that I could provide users the possibility to have a name, be given
special access rights, claim they are the same person they were
yesterday, all without the need to 'create a user' (with its really
deterring part of choosing a new password)

Actually, only reason I know about OpenID is that I recently created a
LJ-account. I did this only so that I could comment on a few
friends. I never intended to use LJ myself (I have my own diary, thanks)
but I did want to show it was me who posted the comments, and
not 'some anonymous person signing with Zefiro'. So OpenID would've been
exactly what I needed (but it's ok I signed up, now I can use
LJ as OpenID-server *g*)





If you just skipped down to here, summary is: where can I get an
OpenID-Consumer for PHP4? ;)


*purrrrrr*





More information about the yadis mailing list