I'm working on integrating a forums software (SMF) and a custom CMS that I have built. The thing that is being the most difficult is logging in once, and authenticating on both systems. I found a method for submitting a login form using PHP. http://forums.digitalpoint.com/showthread.php?t=141762 For some reason, I can get the form to submit to the CMS, but then all authentication is lost when I try to browse the admin section (the part that requires authentication). Am I right in assuming that if the custom CMS authenticates using only sessions, this method will not properly assign the session variables? (Because it is a "remote call") If this is correct, can anyone suggest a workable solution for a single sign on with SMF? There is one catch though. I don't want to modify any of SMF's code. I want the install of SMF to be very simple to upgrade when security updates (and more) come out.
When you say "remote call" do you mean that the CMS you have is on a different host (domain)? Session data and Cookies are only visible to the host that created them (in theory!) so a session started by "abc.com" cannot be read / authenticated by "def.com". If Forum and CMS are on the same domain then would need to see the code and would say make sure you use session_start() on every page you are checking login status ...
The CMS and the forum are on the same server. I have included session_start at the top of all pages, and then the pages validate from the session variables. It works just fine if I log into each system separately. The problem that I'm running into is that when I use php to make the http request to try to log the user in, the session variables aren't set. Here is an example of what I am trying to do: <?php $url = 'http://localhost/login.php'; //Logs the user in $params = "username=123&password=333"; //you must know what you want to post $user_agent = "Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)"; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS,$params); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo "Results: <br>".$result; ?> PHP: When I make that call, the session variables are not set. As stated earlier, I'm assuming that this is because it is not my browser that is making the http request, but it is the php server that is making the request. Is this the case?
I think your right, its because its effectively the server not the browser that's logging in. Did a quick search and found this: OK so you may not be redirecting but I think the header info would still apply. My thoughts are, if the user is logging in normally via the browser then you wouldn't even have to call the second login so long as they are on the same top level domain as the session information should be kept alive anyway. So, if you want an automated login where it is not the user initiating it then maybe you should have a javascript to perform this ...