hi to all,
if you have been worked with openid, you shuld know how that works.

Okay. I have an account in yahoo.com named "john22"
I use it's OpenID to login to ... site.
i can successfully login to ... site with that.
my username is john22 in ... as it was in yahoo.com.

--- now ---

if somebody creates an account in google named john22 and use it's openid to login to ... site, so he got my position! and can steal my info, talk with my name, and etc.

How is openID safe for it?

sorry for bad english.
tnx.

It's safer than this, because.. this is not how OpenID works.

If the OpenID "consumer" site, in you example "... site" stores usernames as arbitrary user supplied strings like "john22" then that is a security problem and a huge bug of that particular site. Site's don't store the user ID like that, they store the OpenID URL because that is the unique identifier. Some sites may show a friendly version ("john22") but they'll still be storing the proper UID.

Thank you man!

As Xeentech said, OpenID should be storing the URL as the unique identifier to each site.

What this basically means is this:

You register for an OpenID enabled site at a.example.com
You login to b.example.com with your OpenID from a.example.com
Site b then stores a specific a.example.com profile, which will ONLY work for the user you signed up with, with an a.example.com url.

It does not use usernames at all for authentication, so there is zero risk of overlap (if implemented properly). Also when you login with an OpenID site, you should ONLY enter your password on the OpenID providers site (a.example.com).

okay, im going to store those URLs somewhere as an unique identifier.


tnx4ur help.