From 2cf1f8a31a4b8f863a3e97b7d15f7e0c1ba8c6f9 Mon Sep 17 00:00:00 2001
From: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sun, 5 Apr 2009 21:09:58 +0200
Subject: [PATCH] Save each OpenId transaction in an unique session variable
 and pass its id in the URL.

---
 modules/openid.php | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/openid.php b/modules/openid.php
index 8d72bb0..bdae55f 100644
--- a/modules/openid.php
+++ b/modules/openid.php
@@ -107,7 +107,9 @@ class OpenidModule extends PLModule
 
             // We redirect to a page where the user will authenticate
             // and confirm the use of his/her OpenId
-            $query = 'openid_request=' . urlencode(serialize($request));
+            $request_id = uniqid('openid-');
+            S::set($request_id, serialize($request));
+            $query = 'request_id=' . urlencode($request_id);
             pl_redirect('openid/trust', $query);
             return;
 
@@ -125,15 +127,15 @@ class OpenidModule extends PLModule
         $this->load('openid.inc.php');
 
         // Recover request in session
-        $srequest = $_GET['openid_request'];
-        if (is_null($srequest)) {
+        $request_id = $_GET['request_id'];
+        if (is_null($request_id) || !isset($_SESSION[$request_id])) {
             // There is no authentication information, something went wrong
             pl_redirect('/');
             return;
         }
 
         require_once 'Auth/OpenID/Server.php';
-        $request = unserialize($srequest);
+        $request = unserialize($_SESSION[$request_id]);
 
         $server = init_openid_server();
         $user = S::user();
@@ -168,13 +170,16 @@ class OpenidModule extends PLModule
             $page->changeTpl('openid/trust.tpl');
             $page->assign('relying_party', $request->trust_root);
             $page->assign_by_ref('sreg_data', $sreg_response->data);
-            $query = 'openid_request=' . urlencode($srequest);
+            $query = 'request_id=' . urlencode($request_id);
             $page->assign('query', $query);
             return;
         }
 
         // If this point is reached, the user has just validated the form on the 'trust' page
 
+        // Remove the request from session since an answer will be sent
+        S::kill($request_id);
+
         // Add 'always trusted' sites to whitelist
         if (isset($_POST['openid_trust']) && @$_POST['openid_always']) {
             add_trusted_site($user, $request->trust_root);
-- 
2.1.4