+ # check age/signature of return_to
+ my $now = time();
+ {
+ my ($sig_time, $sig) = split(/\-/, $self->args("oic.time") || "");
+ # complain if more than an hour since we sent them off
+ return $self->_fail("time_expired") if $sig_time < $now - 3600;
+ also complain if the signature is from the future by more than 30 seconds,
+ # which compensates for potential clock drift between nodes in a web farm.
+ return $self->_fail("time_in_future") if $sig_time - 30 > $now;
+ # and check that the time isn't faked
+ my $c_secret = $self->_get_consumer_secret($sig_time);
+ my $good_sig = substr(OpenID::util::hmac_sha1_hex($sig_time, $c_secret), 0, 20);
+ return $self->_fail("time_bad_sig") unless $sig eq $good_sig;
+ }
+
+> At least it doesn't seem to be a time sync problem since the test for too
+> early/too late times have different error messages.. --[[Joey]]
+
+I've had this problem too, but with my track record of reporting OpenID bugs
+I thought it best if I held my tongue. I usually experience this the first
+time I sign in on any ikiwiki installation of {ikiwiki.kitenet, ikidev,
+betacantrips}, and I think re-logging in always works. --Ethan
+
+> Does seem easier to repro than I thought.
+> Ok, fixed it.. [[bugs/done]] --[[Joey]]