Inferring return_to
Martin Atkins
mart at degeneration.co.uk
Tue Jun 14 07:57:30 PDT 2005
Brad Fitzpatrick wrote:
>
> Look, you already fucked up: you can't just append a "?" without checking
> for an existing "?". So you'll say:
>
> $url .= ($url =~ /\?/ ? "&" : "?") . "foo=bar";
This isn't like the other cases where we're taking someone else's URL
and adding arguments to it. I'm generating the entire URL, so I know
whether it already has a query string in it.
> But at that point, why not:
>
> $url = URL->new($url)->param("foo", "bar");
>
> Whoops, I just used a URL class, and I'm not sure how it's implemented.
>
> See?
>
Fair enough. Still seems like it'd be easier to say:
$url = "http://www.mysite.com/openid?foo=bar&sid=".$sid;
or perhaps
$url = $LJ::SITEROOT."/openid/login.bml?crazyparam=".$crazy;
(if you don't like the idea of hardcoding the full URL)
Either way I can easily recreate the exact same URL for validation later
as all of that data is still available. I'd also be pretty concerned if
a URL class didn't have exactly the same result given the same set of
operations on it; even if the ordering is crazy, it should be crazy in
the same way every time.
I'm not at all against having the return_to URL repeated back in the
response, but I'm certainly never going to use it so for me it's just a
waste of query string space. I trust my own URL forming code more than I
trust the ID server not to send back something completely off the wall,
and if the ID server's sending back incorrect reply_to URLs I'd want it
to fail horribly so that they stop doing that.
More information about the yadis
mailing list