I am trying to build a simple OpenID login panel similar to how Stack Overflow's works. The goal is:

• User clicks OpenID/Oauth provider
• OpenID/Oauth stuff happens, we end up with the result (already made that)
• Then we want to confirm that the user wants to actually create a new account (vs. associating account with another OpenID account).

In StackOverflow, they keep a hidden field on a form that looks like this:

<form action="/users/openidconfirm" method="post">
    <p>This is an OpenID we haven't seen on Stack Overflow before:</p>
    <p class="openid-identifier">https://me.yahoo.com/a/some-hash</p>
    <p>Do you want to associate this OpenID with your Stack Overflow account?</p>

    <div>
        <input type="hidden" name="fkey" value="9792ab2zza1q2a4ac414casdfa137eafba7">
        <input type="hidden" name="s" value="c1a3q133-11fa-49r0-a7bz-da19849383218">
        <input type="submit" value="Associate OpenID">
        <input type="button" value="Cancel" onclick="window.location.href = 'http://stackoverflow.com/users/169992/viatropos?s=c1a3q133-11fa-49r0-a7bz-da19849383218'">
    </div>
</form>

Initial question is, what are those hashes fkey and s? Not that I really care what these specific hashes are, but what it seems like is happening is they have processed the openid response and saved it to the DB in a temporary object or something, and from there they generate these keys, because they don't look like Oauth keys to me.

Main situation is: after I have processed OpenID/Oauth responses, I don't yet want to create a new user/account until the user submits the "confirm" form. Should I store the keys and tokens temporarily in a "Confirm" form like this? Or is there a better way? It seems that using a temp database object would be a lot of work to manage properly.

Thanks for the help. Lance