Ok, so I finally figured out why my test have been acting up weird (and why x-has-session
seemed like it didn't do anything): If you are logged in with multipe accounts (which was the case for me) Google OpenID login works a bit differently.
Lets go through the differences (these results are obtained via my own testing, so they may not be 100% accurate - they are also assuming nothing else would triggers a setup_needed
response from Google, such as switching openid.realm
):
1: Immediate requests not specifying OpenID and not specifying x-has-session
:
- Not logged in: Google specifies the parameter
openid_mode=setup_needed
in the response. - Single session: If user has approved the service, Google specifies the parameter
openid_mode=id_res
otherwiseopenid_mode=setup_needed
in the response. - Multiple sessions: Google specifies the parameter
openid_mode=setup_needed
in the response regardless of having approved the service or not.
2: Immediate requests not specifying OpenID, but specifying x-has-session
:
- Not logged in: Same as 1 (not logged in).
- Single session: If user has approved the service, Google specifies the parameter
openid_mode=id_res
and ignoresx-has-session
otherwiseopenid_mode=setup_needed
andopenid_ext1_mode=x-has-session
in the response. - Multiple sessions: Google specifies the parameter
openid_mode=setup_needed
in the response regardless of having approved the service or not.
3: Immediate requests specifying OpenID and not specifying x-has-session
:
- Not logged in: Same as 1 (not logged in).
- Single session: Same as 1 (single session).
- Multiple sessions: Same as single session.
4: Immediate requests specifying OpenID and x-has-session
:
- Not logged in: Same as 1 (not logged in).
- Single session: Same as 2 (single session).
- Multiple sessions: Same as single session.
In other words:
- If using single session, immediate mode using
x-has-session
can either tell you if a Google user is logged in or return a successful response if user has already approved the service regardless of specifying their OpenID. - If using multiple sessions and specifying the OpenID the behavior is the same as single session.
- If using multiple sessions without specifying the OpenID immediate mode always returns a failure response and
x-has-session
is not applicable.