query parameters in identity URLs
Brad Fitzpatrick
brad at danga.com
Mon Jun 27 21:15:24 PDT 2005
On Tue, 28 Jun 2005, Martin Atkins wrote:
> Brad Fitzpatrick wrote:
> >
> > The other easy thing to do is just say identity URLs can't have query
> > strings.
> >
>
> I don't think that's really feasible. There are plenty of sites out
> there which don't have *any* URLs without query strings:
> /index.php?page=about&user=mart&phpsessid=4834y59327y62358673496&uglyurl=true
>
> In an ideal world they'd clean up their URLs, but this ain't an ideal world.
Agreed.
> The .self proposal seems reasonable, though it might as well just go the
> extra few steps and become openid.canonical that was discussed before
> but dismissed.
It wasn't dismissed... it was never discussed.
Let's discuss: pros & cons...
-- con: late change
-- con: won't totally solve the problem for malicious attackers anyway
-- con: maybe somebody /wants/ to use bradfitz.com/?persona_a and
bradfitz.com/?persona_b separately, just like foo+bar at host.com
email separators
-- pro: can tell that two URLs are the same:
-- con: but then does www.livejournal.com/users/brad/ get mapped
to brad.livejournal.com on other sites? what if my paid
account expires, and brad.livejournal.com is now an error
message?
I'm seeing more cons than pros.
- Brad
More information about the yadis
mailing list