How can I know that a user really login using OpenID or just pasting the URL from the previous login?

Question

I have two pages: login.php and return.php. Both use LightOpenID.

The page login.php creates a link to an OpenID provider and tells the provider to return the result to return.php

The following are the normal flow of using those two pages.

1. Go to login.php and click the link.
2. Login using a Google account.
3. The system redirects to return.php and shows that User ... has logged in.

However, later on, I can make return.php says the same thing even I don't do Step 2 by pasting the URL of return.php with its query string (copy from Step 3).

How can I know that a user really login using OpenID or just paste the URL from the previous login?

Here are the code:

login.php

<?php
require_once 'openid.php';

$openid = new LightOpenID("mydomain.com");
$openid->identity = 'https://www.google.com/accounts/o8/id';
$openid->returnUrl = 'http://mydomain.com/return.php'
?>

<a href="<?= $openid->authUrl() ?>">Login</a>

return.php

<?php
require_once 'openid.php';

$openid = new LightOpenID("mydomain.com");
if($openid->mode) {
  echo 'User ' . ($openid->validate() ? $openid->identity .  ' has ' : 'has not ') . 'logged in.';
} elseif($openid->mode == 'cancel') {
  echo 'User has canceled authentication!';
} else {
  echo 'Please go to login.php';
}
?>

Answer 1

$openid->validate() will return true only once per authentication. If an user attempts to login again using the exact same url (i.e. same nonce, etc.), $openid->validate() will return false. At least that's the case if the provider works according to the spec. If it doesn't, there's almost nothing you can do.