New Consumer Demo: OpenID Guestbook

Martin Atkins mart at
Wed May 25 00:35:56 PDT 2005

I've made a simple guestbook script which uses OpenID:

It currently does not support AJAX mode, because it's far too early in 
the morning to be faffing about with client-side JavaScript. You should, 
however, be able to log in with any Identity URL and leave a message in 
the guestbook.

The script isn't very robust; it doesn't do any locking on the guestbook 
file, for example. However, I would appreciate it if people could point 
out any bugs which allow arbitrary externally-provided HTML to be 
injected, as I hope I've got them all now.

It also doesn't do any fancy stuff with nonces and such. It doesn't 
maintain any state whatsoever apart from the guestbook datafile. This 
means that you can replay-attack it if you can get hold of a valid 
signature. It doesn't matter much for a guestbook, but in practice you'd 
maintain a nonce list somewhere and check/invalidate that as part of the 
final checking process as well.

The source code is available:

Again it's not-so-pretty Perl, but this time all of the OpenID guts are 
hidden away in the Net::OpenID::Consumer module so it should hopefully 
be clearer than my previous demo was.

If you don't like the idea of a guestbook, think of it as a weblog 
comments page. :)

More information about the yadis mailing list