Helpful Information
 
 
Category: OpenID
OpenID -> PHP?

Okay...
It is really easy to find examples of how to set up OpenID libraries etc. However it is close to impossible to figure out how I would then retrieve the information from the OpenID.

So, I am working on putting a Steam login on my page, so I have downloaded their button and added the link to their login form to this button.
When people press the button they are redirected to the login form on Steam's website and then sent back, that part works fine.
What I need is how I get the 64-bit SteamID from the user who logged in?
I need this ID to access different information through the Steam API which is using JSON, XML and VDF as output, where I think I will be using XML.

If the steam API provides it, you can retrieve it. In PHP, this has to be either a string or binary string. PHP doesn't support unsigned integers, so even if you have an x64 build PHP, the numbers will not make sense. As a string though, you can parse it as a number, but typically speaking you cannot manipulate it (you can treat it as a string with [s]printf and provide a hex or unsigned long output). You can break it into parts and do manual calculations of course, but that's a lot more work than a simple +.

If the steam API provides it, you can retrieve it. In PHP, this has to be either a string or binary string. PHP doesn't support unsigned integers, so even if you have an x64 build PHP, the numbers will not make sense. As a string though, you can parse it as a number, but typically speaking you cannot manipulate it (you can treat it as a string with [s]printf and provide a hex or unsigned long output). You can break it into parts and do manual calculations of course, but that's a lot more work than a simple +.

Well, thats not exactly what I mean.
I randomly stumbled upon the link I should use to redirect to the login page, however when users click login and are sent back to me, their steam id is sent to me via the get method. The steamid lies in an index called openid.identity but if i use var_dump on it, it just returns null... I suppose this is some part of the object oriented PHP which I have been trying to understand for a long time without any further success.
The 64 bit key is a string, and since it's specifically made for use with PHP, ASP and JScript, I suppose it should also work.
Their documentation is not very descriptive though and I have never worked with objects or openid's before - and their documentation seems to assume you have done this before with another openid provider.

Can you post an example of the URL itself? You can use 0's for the id's, I'm assuming we're looking at probably a guid anyway.
As well, can you show what you are meaning by accessing it? This sounds like you may have something that's specific to the steam api, a provided class of some sorts, which may be incorrectly used. Are you sure the class want to work via GET, and not something like curl?

Can you post an example of the URL itself? You can use 0's for the id's, I'm assuming we're looking at probably a guid anyway.
As well, can you show what you are meaning by accessing it? This sounds like you may have something that's specific to the steam api, a provided class of some sorts, which may be incorrectly used. Are you sure the class want to work via GET, and not something like curl?
1. By accessing - I mean being able to store the login so I can make sure the user is authenticated when he/she is using my website

2. When I complete logging in, I am sent to my own website with this URL:

http://sv2.zeroyear.net/gmod/applications/index.php?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Flogin&openid.claimed_id=http%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561197999640847&openid.identity=http%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561197999640847&openid.return_to=http%3A%2F%2Fsv2.zeroyear.net%2Fgmod%2Fapplications&openid.response_nonce=2011-11-15T22%3A05%3A32ZEAkBgdDHokZ6yVQLbh%2FzGv6wheY%3D&openid.assoc_handle=1234567890&openid.signed=signed%2Cop_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_hand le&openid.sig=mdAq6kLGyUN%2B8h7eFlkVR7EZaJg%3D
The variable it should return (As MY user) would be http://steamcommunity/openid/id/76561197999640847 as it appears in their documentation (http://steamcommunity.com/dev).

Steam can act as an OpenID provider. [...] use http://steamcommunity.com/openid as the provider. The returned Claimed ID will contain the user's 64-bit SteamID. The Claimed ID format is: http://steamcommunity.com/openid/id/<steamid>
The 64-bit key would then be "76561197999640847"

EDIT: Also the ID's are publicly available and are used to access members' profile pages - so it doesn't matter to me anyway ;)
I just need it in order to know which player to display and use information from.
What I am actually building is a system where you nominate another person (And only once pr. profile, profile also needs to have the appropriate game to prevent multiple accounts) - and it would be easier to just use Steam, as my site is not interesting to people who don't have a Steam account anyway.
The Steam API allows me to check which games they have purchased. If their profile is marked as private, they simply just have to make it publicly available for a short while - otherwise they will just be rejected and told to publish their profile, perhaps removing harmful content if any.

By access, I meant what are you doing to access the returned value.
I don't think I'll need it though. Just noticed these are . separated. PHP does not allow . within their variable names, and are replaced with _ instead. So you should be able to retrieve that url under $_GET['openid_claimed_id']. To pull the part out, just use parse_url() to pull the parts or use explode to separate the bits.

Okay, so one last thing...
What can I then do in order to prevent people from just taking the URL and enter another 64-bit key?
As I said, those are publicly available, and people could then log into other people's accounts without the password...
If people enter an URL, is the referer then null, or the page they were on when they pressed enter?

Okay, so one last thing...
What can I then do in order to prevent people from just taking the URL and enter another 64-bit key?
As I said, those are publicly available, and people could then log into other people's accounts without the password...
If people enter an URL, is the referer then null, or the page they were on when they pressed enter?

Does the returned result change upon logging in again? If so, that's simply a session identifier. If it doesn't change, and just accessing it provides authentication, they have themselves a serious security flaw (which I can't see being the case). Something screams that you are missing something though, you should have a handling library of some sorts that does all the heavy work for you and the returned results should be contacting a specific handle on your site.

Does the returned result change upon logging in again? If so, that's simply a session identifier. If it doesn't change, and just accessing it provides authentication, they have themselves a serious security flaw (which I can't see being the case). Something screams that you are missing something though, you should have a handling library of some sorts that does all the heavy work for you and the returned results should be contacting a specific handle on your site.
I _think_ that the value called something with once is a session identifier... I didn't manage to pull this trick on another site at least.
Yes, I installed an openid library, however I don't know how it works, how to use it, and what it can do...
This one exactly, the PHP5 version: http://www.openidenabled.com/php-openid/

I think you'll need to jump through the documentation examples there to determine exactly what you need to do. I'm afraid I've never used the library, so I cannot write any examples for you.

I think you'll need to jump through the documentation examples there to determine exactly what you need to do. I'm afraid I've never used the library, so I cannot write any examples for you.
Well, I have already looked for one, however I cannot find any :/
Have you ever used any other PHP compatible libraries that you can recommend? Including a link to it's documentation :)

Well, I have already looked for one, however I cannot find any :/
Have you ever used any other PHP compatible libraries that you can recommend? Including a link to it's documentation :)

No, I've always just written anything I needed to match a created API instead. The only times I've needed to do this was controlled by both sides, so I wrote an API in php to provide web access to game extensions wrote in lua.

But shouldn't it be fine to just store the ID in the $_SESSION array?

But shouldn't it be fine to just store the ID in the $_SESSION array?

I would say so yes. No matter what, when it comes to external communication you can only do so much to protect it. There are other alternatives such as CURL that lets you do this in the background, but that may depend on their TOS if you are allowed to use it (as it can intercept username and password combinations).
If it is just a session identifier, then your goal should simply be to remove it from the url so the user cannot copy and paste it into something for everyone else to see. If you provide a return page that detects this data then stores it as a session with an immediate redirect, that should limit most of the chance of copying it out (though not eliminate it of course). I'd check the steam forums as well, there may be people with questions and examples of steam specific usage too.

I would say so yes. No matter what, when it comes to external communication you can only do so much to protect it. There are other alternatives such as CURL that lets you do this in the background, but that may depend on their TOS if you are allowed to use it (as it can intercept username and password combinations).
If it is just a session identifier, then your goal should simply be to remove it from the url so the user cannot copy and paste it into something for everyone else to see. If you provide a return page that detects this data then stores it as a session with an immediate redirect, that should limit most of the chance of copying it out (though not eliminate it of course). I'd check the steam forums as well, there may be people with questions and examples of steam specific usage too.
Which brings me to something I was about to ask someone about yesterday but forgot.
header("Location: http://www.example.com/") needs to be sent before any information is sent... It never works for me however. Not even if I put it in the <head> block of my HTML...

header is a PHP call. It modifies the headers so it must be presented before any output to the page (including anything before the start of the <?php tag as well). That is likely why it has never worked. This is why all PHP processing in a page should occur before any output, since otherwise you need to cheat and use an output buffer to allow data to be printed before the headers have been sent.

So how would I redirect them as fast as possible but still keeping the data?

By using a header. The url will only be available until its been redirected. Header without a meta to count it down is immediate since its all processed before being sent to the client. The url only remains for the duration of time it takes for the webservice to pick it up.
If allowed, curl can get around this completely. I avoid providing help with curl since it can be used easily for phishing, but you can look up curl in the php api instead (after checking with steam's TOS for if they deny it, if not its fair game).










privacy (GDPR)