Comments on: hasAccount

By: sil

sil — Mon, 01 Oct 2007 14:17:30 +0000

drewm: nice. I didn’t know about that. Something to look at…

By: drewm

drewm — Mon, 01 Oct 2007 14:13:22 +0000

Simpler is to take the users URL (be that their OpenID or just a ‘homepage’ field value) and parse it for links to profile pages on supported services. The rel=”me” microformat provides a mechanism to indicate a related page with further information about the person described by the current page.

See my OpenID URL (drewmclellan.net) for an example.

By: Riselocal.Com » hasAccount

Riselocal.Com » hasAccount — Fri, 28 Sep 2007 18:10:35 +0000

[...] unknown wrote an interesting post today on hasAccountHere’s a quick excerpt [...]

By: John Drinkwater

John Drinkwater — Fri, 28 Sep 2007 15:21:19 +0000

Once you know that a site does have an account for the user, you… ?

…still require them to enter their username for the foreign site — hasAccount returning username would give too much info to malicious scripts imho,
…still require them to fill in more details the foreign site might not have or show publically (like email).

If they used OpenID, it would be:
user provides OpenID URL, [user logs into provider, ] user confirms trust at provider, provider sends simple reg details, sign up complete.

I think OpenID is the way we all want sign–up to go — not this current trend of focusing on popular social networking sites for account details ;)

Oh, and your OpenID URL could always host your hCard anyway, so win–win.

By: sil

sil — Fri, 28 Sep 2007 12:51:32 +0000

The reason I don’t want it to return just a 1 or a 0 or a status code is that then you need help from the server to fetch it, and the server can’t say “am *I* logged in” because it is not the user. If I, Stuart, open up example.com in my web browser, and example.com includes a script src tag to flickr.com/services/hasAccount, my web browser fetches it (and thus it can evaluate whether I, Stuart, am logged in there or not). If it can’t be included with script src then it has to be fetched by a server process on example.org itself (because my browser can’t make cross-domain XMLHttpRequests to flickr.com) and the example.org server is not me and won’t have my Flickr login cookie.

By: James Henstridge

James Henstridge — Fri, 28 Sep 2007 12:49:33 +0000

Stuart: imagine if the flickr page returned a script that posted document.cookies back to them instead of calling myFunction().

I don’t know what sort of authentication system you are using for your account, but many work by first associating a session cookie with the user, then associating an account with the session cookie when they log in.

So while the user may not have an account at this point, the session cookie may become valuable a short time into the future …

By: Rory McCann

Rory McCann — Fri, 28 Sep 2007 12:44:03 +0000

I agree with others that returning Javascript is a bad idea. Why not just use the HTTP sttus codes? 404 for not found, 200 for OK etc etc. That gives us a wealth of existing status.

You can kind of do something like this by just looking for http://flickr.com/photos/USERNAME.Hackesh and site dependant though.

By: http://resiak.livejournal.com/

http://resiak.livejournal.com/ — Fri, 28 Sep 2007 12:05:51 +0000

Also, your closing quote character is not the correct character. It should be U+201D (http://salami.ox.compsoc.net/~resiak/cgi-bin/unicloud?cp=201D), but is U+2033 DOUBLE PRIME (http://salami.ox.compsoc.net/~resiak/cgi-bin/unicloud?cp=2033) and hence looks silly. :-)

By: http://resiak.livejournal.com/

http://resiak.livejournal.com/ — Fri, 28 Sep 2007 12:02:19 +0000

Eh, evaluating random javascript from some other server seems like a really bad idea. What’s wrong with it just returning “1″ or “0″?

By: Roger

Roger — Fri, 28 Sep 2007 08:19:18 +0000

And there was me thinking this was going to be a lol* type post.

canHasAccount?