validate(）函数如何阻止伪造的身份验证请求

我刚刚调试了一段php代码，其中我的登录代码没有正确验证请求。我不知何故跳过了使用->validate（）函数，我的一位网站测试人员通过从谷歌（下面）获得回复并将他的电子邮件更改为管理员电子邮件，成功登录了一个管理员帐户。

http://mydomain/login/?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-02-15T03%3A56%3A27ZY153c0JFI0G5wA&openid.return_to=http%3A%2F%2Flocalhost%2Flogin%2F&openid.assoc_handle=AMlYA9UI33WW3XfuQGjITXSgB0a0x8nsqD91iuWK9mdvwyBm4EEbk08g&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.namePerson_first%2Cext1.value.namePerson_first%2Cext1.type.namePerson_last%2Cext1.value.namePerson_last%2Cext1.type.contact_email%2Cext1.value.contact_email&openid.sig=laAMatkmFjOPrKPsmaIEg%3D&openid.identity=https3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAawnUG6Mr7_ynO1mN-fThr9wbOo&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%OawnUG6Mr7_ymuB1mN-fTFhr9wbOo&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.namePerson_first=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.namePerson_first=T&openid.ext1.type.namePerson_last=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.namePerson_last=M&openid.ext1.type.contact_email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext1.value.contact_email=**myemail%email.com**

这让我们对openid如何使用validate（）函数进行验证非常感兴趣，该函数是请求的来源，并将其发送回正确的源，并捕获任何未直接从openid服务器发送回的内容？sig或identity变量是否被用作某种公钥/私钥系统？

如果有人能帮我理解，那就太好了。

感谢