@Ben: Well, PHP4 is officially dead and so it doesn’t make much sense to support it anymore. However, feel free to grab the source from GitHub and modify it accordingly, if you need the component in a PHP4 environment.

Yes, CakePHP includes all the needed database access functionality, and I considered to use this functionality. However, in the end it was more pragmatic to use what’s already available in the OpenID lib than to write my own CakeMySQLStore.

-Ben

The OpenID lib is PHP4.

The OpenID CakePHP component is only a small amount of code to change back to PHP4.

No reason for PHP5 except to make the script incompatible with most servers.

-Ben

Well, as you quoted from the spec, “Relying Parties MUST differentiate between URL Identifiers that have different schemes.”. This means, you violate the spec if you would modify the behavior of Consumer.php (or the OpenID component) to treat https://example.com and http://example.com as the same identifier.

So, my recommendation is to keep it like it is and to follow the spec ;-)

The plugin is running very smoothly for me, thanks for that! There is only one thing I kept wondering about: When I enter my OpenID preceeded by “https://” the response does not have the same identiy_url compared to entering the OpenID with “http://”.

This is of course totally correct according to the OpenID Specs and my first idea was to just store the identity_url for a user with the protocol stripped and compare that with the identy_url returned by the authentication process (with the protocol stripped also) and thus making the different identity-urls map to the same user, but the specs also stated that »Relying Parties MUST differentiate between URL Identifiers that have different schemes. When end user input is processed into a URL, it is processed into a HTTP URL. If the same end user controls the same URL, differing only by scheme, and it is desired that the Identifier be the HTTPS URL, it is RECOMMENDED that a redirect be issued from the HTTP URL to the HTTPS URL. Because the HTTP and HTTPS URLs are not equivalent and the Identifier that is used is the URL after following redirects, there is no foreseen reduction in security when using this scheme. If an attacker could gain control of the HTTP URL, it would have no effect on the HTTPS URL, since the HTTP URL is not ever used as an Identifier except to initiate the discovery process.« (http://openid.net/specs/openid-authentication-2_0.html#anchor45)

Is this something to be done in the Consumer.php or is there a way to accomplish just that with your plugin the easy way? If not I’ll have to go by the stripping-approach or try to find out wether the OpenID library can be taught to do that. Anyway any hint in the right direction would be greatly appreciated!

Greetings,
Caffeine

Anyway, I hope it works fine now.

Anyways, we just went through and hardcoded the require_once links in the openID folder and it seems to be okay now. Knock wood I guess.

Thanks again for your time.

james

My guess is that it is some problem with the include path and ini_set/ini_get (at the top of the Openid component), but I have no idea what… So right now I’m quite clueless :|

Thanks again
james