PHP Consumer and misc things

Zefiro work at
Wed Oct 5 17:05:35 PDT 2005

Hi, List, especially Dan

I'm now using your PHP Consumer library ( for my diary - - and it seems to work fine (PHP 4.4.0).
Thanks for your work.
(I could give you my login.php with sessions to put into the example directory - though I assume you already have done something
similar within the MediaWiki-Patch)

Just a few things, though, I mentioned while implementing it:
- in your simple.php example you don't use the form input parameter field name 'openid_url' as is recommended in the spec (step
2). You also don't do this for your Mediawiki-Patch. (btw, adding the OpenID-Icon there would be nice, too)

- the example httpconsumer.php didn't work for me. When called on the local host 172.20.x.x and entered '' it forwards
me to, but only gets a blank page. Perhaps this is a bug in the lj-code, not accepting 'private' ip ranges?
(localhost works fine, though). Entering the url of the also local sampleserver.php gave me multiple errors ('Association server
response missing argument assoc_type')

Generally the lj-OID-serverpage seems to be quite picky - if something is not ok it just returns an empty page instead of some
kind of error message. I had this e.g. with errors in the trusted root. It is ok if you don't want to give attackers valuable
debug information, but at least a 'the request was malformed. Please inform the webmaster of $return_url' would be nice.

- the nounce is meant to be a one-time-token, as I understand it. It is generated in createReturnUrl, stored locally and checked
in verify_return_url. (I use md5(microtime().date("r").rand(10000, 32000)) - found somewhere in the PHP doc/usercomments, as
nounce and store it in the $_SESSION). But verify_return_url is called twice. Is this on purpose? If I'd delete the nounce after
first use it would fail the second time, making login impossible.

By the way, regarding the thoughts about how to display OpenID logged in user. I thought it best to have a separate 'Display
Name', which the user can choose freely (perhaps uniquely for the scope of my site), which is initially filled with their
claimed identity ('' in my case). A link with both href= and title= to their canonical identity (the one Dans lib now
reports back) comprise the OpenID-Icon and the display name. (The display name is filtered through htmlentities() first, the
canonical identity is not yet assumed to be problematic). What are your opinions of doing so? I would like to establish this as
'best practices'.


More information about the yadis mailing list