I have two pages: login.php and return.php. Both use LightOpenID.
The page login.php creates a link to an OpenID provider and tells the provider to return the result to return.php
The following are the normal flow of using those two pages.
- Go to login.php and click the link.
- Login using a Google account.
- The system redirects to return.php and shows that User ... has logged in.
However, later on, I can make return.php says the same thing even I don't do Step 2 by pasting the URL of return.php with its query string (copy from Step 3).
How can I know that a user really login using OpenID or just paste the URL from the previous login?
Here are the code:
login.php
<?php
require_once 'openid.php';
$openid = new LightOpenID("mydomain.com");
$openid->identity = 'https://www.google.com/accounts/o8/id';
$openid->returnUrl = 'http://mydomain.com/return.php'
?>
<a href="<?= $openid->authUrl() ?>">Login</a>
return.php
<?php
require_once 'openid.php';
$openid = new LightOpenID("mydomain.com");
if($openid->mode) {
echo 'User ' . ($openid->validate() ? $openid->identity . ' has ' : 'has not ') . 'logged in.';
} elseif($openid->mode == 'cancel') {
echo 'User has canceled authentication!';
} else {
echo 'Please go to login.php';
}
?>