Questions on Lefora Third-Party Authentication API (single sign-on)

2 questions:

1) The Auto-login on return visits mechanism seems to allow someone who simply looks at cookies to easily pretend he's someone else by setting his cookie to another user's id. I guess my question is am I right or did I not understand the process?

2) In step 2, will the tokenurl parameter ever need to be added to a URL with parameters of its own?

Question 1) The cookie needs to be the userid (same as passed back in the token url) and not the username. The cookie is only used to see if they're logged into the site or not. It's not trusted. The user still gets redirected to the authentication url if the cookie doesn't match the user who's logged into Lefora. It's there just to allow the authentication to happen automatically and to make sure the user logged into Lefora is the same as logged into the external site.

Question 2) Yes, it's possible that there will be other parameters included with the tokenurl.

Regarding question 1, I'm a little confused. So if there's a cookie with the userid, that person is NOT automatically logged in as that user without any verification. He's simply forwarded to our login mechanism if the userid on that cookie is different from what they're already logged in to lefora under. If they are NOT logged in under the lefora forum, they are forwarded to our login mechanism upon trying to login or post just like they would if there weren't any userid cookies?

yes, if there is a cookie with a userid, they're passed to you to verify.

if their is no cookie or they're not logged in to your site, then when they try to 'login' on lefora or make a post on lefora, we direct them to your site for authentication.

Sorry to be persistent on this userid auto-login cookie deal, but I was actually hoping you'd tell me I was wrong in how I was thinking this works :). Because now I'm not sure what the point of this cookie is. Can you give me a step by step example of how this is used exactly? Something along the lines of, "user fred (id: 1234) clicks login on lefora forum and is redirected to http://example.com/authenticate/?destination=http://forum.example.com/headlines. At login prompt he enters user/pass and gets a cookie. etc etc"

BTW, why am I not getting notified by email of these thread updates? I have my notification settings to all checked.

I may have made it a bit confusing.

Basically, it's just trying to 'force' a login to lefora on a returning user, before they post or click a login link. This is useful to track if they've read a post, show them online to other members, etc.

So if a user returns to lefora and we see that cookie, we don't trust it, but know to pass them to your server, at which point if they have valid credentials and a cookie for your server, you'll automatically pass them back to us, the user would never see any of this - now they're authenticated on lefora, and we can let them know of new posts, new PMs, etc.

Make sense now?

----
Notifications only go out once a day (you can use an RSS feed of a thread to get it more frequently). If you return to a thread, we note that and won't send out a notification. So let's say you post at 8am, I reply at 10am, then you return at 5pm to read the same thread. You won't get a notification the next day because we see that you've already read the most recent posts.

ok, now this makes sense regarding the cookie with a userid. Might be a little confusing for a user who logged out of our site, but then just wants to read forums (might not be the same user). Is there anyway to pass the logout request to lefora from our site?

Regarding notifications, I would vote to have instant email notifications. I'm used to using this important feature on other forums.

If you clear that cookie, then we won't try to log them in.

---
Notifications - we'll have a method for instant notifications on an opt-in basis. In the meantime, if you want instant notification (to yourself, or offer it for you whole forum), you can use feedburner.com, which turns an rss feed into a email:

http://www.feedburner.com

Spec on the RSS API: http://support.lefora.com/2008/12/15/rss-api/page1/

note: if you have any more questions on notifications, please start a new thread.