Combine OpenID Google tokens hashes from www and non-www
https://stackoverflow.com/questions/10867044
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I made the mistake to serve a the same site from http://mysite.com and http://www.mysite.com and allowing OpenID logins from both. The realm were different for both, www, and non-www.
I ran into the problem when a user that initially logged from www.mysite.com tried to login from mysite.com and the token was not found being prompted to create a new account.
I plan to fix the server side to always redirect to a www. version of the site, but how can I merge the tokens from the non-www site?
I can do detection using the email returned, but in some cases users have changed their email so I can't know what's their Gmail account to do matching.
Solution
This is what I did:
I sent an email to all the users who had signed up with Google before and sent them a link that fixed everything.
This link contained a security hash and would auto log them in, and redirect to a account association page. This way a new and correct Google association would be created. After using it the link becomes invalid.
In case the users didn't see the email, I also created an extra association entry for all Google OpenID users that had the email as identifier, so now they have 2 Google associations, a hashed one and an email one.
Doing this the only users that would be left out are those that signed up using Google OpenID and changed their email address to something different from what their Google account provides. So the email is for them.
