[wp-hackers] OpenID vs wp-comments-post.php

Otto otto at ottodestruct.com
Mon Jun 25 16:12:40 GMT 2007

Shows off one more way in which the OpenID protocol is fundamentally
broken, IMO. The fact that the OpenID Server has to redirect the user
back and thus use a GET is a fundamentally flawed way of doing things.
GETs must be idempotent, and posting a comment or anything along those
lines is not idempotent.

Still, consider using a different redirection page. Instead of
redirecting them back to wp-comments-post.php, redirect them to
another page which will get their login information (like their email
address) from the OpenID request and such and then fill in a form for
them to submit directly. It adds another step to the process, but then
that's what OpenID does: makes things more complicated.

On 6/23/07, matthias at netsensei.nl <matthias at netsensei.nl> wrote:
> Hello,
> Recently I created a wordpress plugin for WP2.1: simple OpenID plugin.
> What it does is act as a simple OpenID consumer for commenters using their
> OpenID instead of entering their nickname or using a local WP account.
> http://wordpress.org/extend/plugins/simple-openid-plugin
> I got a beta released in May... it seemed to work with a little effort on
> WP 2.1 but WP 2.2 seems to be a no go.
> Description of the problem:
> Whenever a commenter wishes to use his OpenID login, he/she gets a blank
> page on wp-comments-post.php.
> Context:
> The OpenID protocol notes that consumer should redirect the user's user
> agent (browser) to their respective OpenID provide (i.e. myopenid.com) for
> authentication. The OpenID provider redirects them back to the consumer
> script  they came from with a positive/negative authentication answer and
> some additional data. Based upon the answer, the script can react
> accordingly: logging in or - in this case - allowing a comment to be saved
> in the WP database.
> Cause:
> In 2.2 wp-comments-post.php doesn't allow GET requests anymore which
> results in a blank page due to a security patch.
> - http://comox.textdrive.com/pipermail/wp-hackers/2007-February/010722.html
> - http://trac.wordpress.org/ticket/3797
> The problem is that my OpenID plugin hooks on wp-comments-post.php. It
> redirects the users to their OpenID provider. The provider then sends them
> back to wp-comments-post.php with a GET request. Finally, the plugin gets
> the user data from GET request and uses it to complete the comment before
> storing it in the WP database.
> So. There you have it. I acknowledge that using GET requests directly on
> wp-comments-post.php is an open inivitation for spammers, but it closes a
> lot of opportunities. I could hack around using some other script and the
> 'init' action hook in order to get GET requests to accepted, but that's
> not really a good solution. Conversion of GET to POST before feeding to
> wp-comments-post.php isn't a great solution either.
> I wonder if someone has a good idea to get this working properly.
> Oh, an unrelated problem: under WP 2.1, OpenID enabled comments posted
> through my plugin where send to the spambin by askimet nonetheless.
> Thanks in advance,
> Matthias Vandermaesen
> --
> http://www.netsensei.nl
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list