HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Method to allow SSO auto logon/logoff

dlefflerdleffler New
edited January 2012 in Feedback

I've developed a method to have my external php CMS auto log on/log off of Vanilla forums. While it does require a bit of tweaking, it should be a transparent installation across other php apps. Basically, you:

  • Get the (core) Vanilla installation going using the same admin user name/password as the main site
    -- Select the <embed> theme
    -- Select the 'connect' registration method

  • Install the jsconnect plugin, but use the 'functions.jsconnect.php' file from github
    -- Create the jsconnect authentication file
    -- Create a jsconnect connection, but leave the sign in and register urls blank

  • There are a couple of minor tweaks to remove the sign-in links scattered about
    -- Add two config.php settings to turn off user edit profile and show guest module
    -- Change the dashboard_link plugin to popup in a new window
    -- Comment out the {signinout_link} in /themes/EmbedFriendly/views/default.master.tpl

  • Add some lines of code to you php app login/logout functions

    -- login
    setcookie('Vanilla',' ',time()+3600,'/',HOSTNAME); setcookie('Vanilla-ConnectFlood',' ',time()-3600,'/',HOSTNAME); unset($_COOKIE[' Vanilla-ConnectFlood']);

    -- logout
    setcookie('Vanilla',' ',time()-3600,'/',HOSTNAME); setcookie(' Vanilla-ConnectFlood',' ',time()-3600,'/',HOSTNAME); unset($_COOKIE['Vanilla']); unset($_COOKIE[' Vanilla-ConnectFlood']);

  • Add the following method to the class.jsconnect.plugin file (most of which is just uncommented excpet for the last several lines.

`public function Base_BeforeDispatch_Handler($Sender, $Args) {
if (Gdn::Session()->UserID > 0)
return; // user signed in, don't check
$CookieName = C('Garden.Cookie.Name', 'Vanilla').'-ConnectFlood';
if (GetValue($CookieName, $_COOKIE)) {
setcookie($CookieName, TRUE, time() + 60, '/'); // flood control 1 min

  $Providers = self::GetAllProviders();
  foreach ($Providers as $Provider) {
     $Url = self::ConnectUrl($Provider, TRUE, FALSE);
     if (strpos($Url, 'vanillajs.php') === FALSE)
     try {
        $Response = ProxyRequest($Url, 5, TRUE);
     } catch (Exception $Ex) {
        echo "Error: ";
        echo $Ex->getMessage()."<br />\n";
     $Data = @json_decode($Response, TRUE);
     if (!empty($Data['name'])) {
         $Data['Url'] = $Url;
         $client_id = GetValue('AuthenticationKey', $Provider);
         header('Location: ' . 'entry/jsconnect?client_id='.$client_id.'&Target=/');



  • Options

    Hi dleffler

    This would be really useful to me. I'm a bit confused though. Any chance you could add a bit more detail to this. For example When I login to the main site (cookies are set) click on the page that the forum is embedded on I get Howdy Stranger and then the details of the main site user from the callback if I click on their name I get UniqueID is required.

    I can't find 'functions.jsconnect.php' file from github.

    Not sure how to do this: Add two config.php settings to turn off user edit profile and show guest module.

    Would it be possible to share all the files you actually changed?

    Thanks with your help with this. I'm sure a lot of people could benefit.

  • Options

    I ran into an issue locally, but it may be tied with importing an existing phpBB forum and having 4500 existing users rather that creating each new user from scratch.

    Also having difficulty with this forum formatting...where it takes my lines and crunches them togehter and arbitrarily decides not to 'code' some of the code.

    I hope to have a zipped file available as a link in the near future.

  • Options

    I'm pretty interested in this as well. Did either of you have any luck?

  • Options

    dleffler thank you for posting this, it is definitely helpful!

    When I'm less frustrated with my wordpress and vanilla integration, I'll take another stab at SSO. :-P

  • Options

    I tried the method above but it did not work for me. After some investigation I came up with a working method.

    • First, embed the forum and get jsconnect installed and working. I downloaded jsconnect from the Addons page, not from Github.

    • Add the following function in plugins/jsconnect/class.jsconnect.plugin.php before the last } at the end of the file: http://pastebin.com/vVAZPxHT This is the code from the last instruction of the opening post, but copyable.

    • In your own login function, when you've authenticated your user and are ready to show him a message he's logged in or send him to you homepage, instead redirect him to: http://www.example.com/vanilla/index.php?p=/entry/jsconnect&client_id=CLIENTID&Target=http://www.example.com/success.php

    • In your logout function, add the code from here: http://pastebin.com/R4wCh9su This is the code from the opening post, but with the spaces in front of Vanilla-ConnectFlood removed (whitespace is not allowed in cookie names). Also, I've changed HOSTNAME to the format that works for me (domain name with a leading dot). I have the following set in my vanilla conf/config.php: $Configuration['Garden']['Cookie']['Domain'] = ''; They don't match, but it works for me.

    The end result is that when you log in on your website, you will see Vanilla's 'Connecting...' with a rotating blue loading circle, which then sends you back to the page you specified in the redirect URL. If you now visit the page with the embedded Vanilla you should be logged in. I find that the extra 'Connecting...' step, though it takes a second, makes logging in feel nice and fancy.

  • Options
    edited January 2012

    I'm trying to make a one-click logon for both WordPress and Vanilla utilizing this great jsconnect plugin.

    On my WordPress site I use the following link to log into WordPress,

    <?php echo get_site_url()?>/wp-login.php?redirect_to=<?php echo get_site_url()?>/../forums/entry/jsconnect?client_id=14478729&Target=<?php echo get_permalink() ; ?>

    Although the URL parses as intended, the &Target=<?php echo get_permalink() ; bit gets lost in the login process. My intention is to return to the page where the login is done.

    I'm not a PHP guru, but is there a way to make this work?

    Also since the client_id and the URL of Vanilla is defined within WP in the jsConnect plugin, is there a way to extract this from WP to replace echo get_site_url()?>/../forums/entry/jsconnect?client_id=14478729? (i thought getVanillaAutoLoginURL() would be valid, but that does not work)

  • Options

    @Armon or @dleffler:
    Thanks for sharing this method. I got the sign-in process working perfectly. However, I can't seem to destroy/delete/unset the cookies at the sign-out process. I tried it with the dot in front of the domain, without and so on but it just doesnt delete the cookie. The weird thing is: For debugging, I tried this:

    if (!isset($_COOKIE['Vanilla']))
    echo "Cookie deleted";

    and it worked?! However the cookie was still there and I was still signed in at the forums...

    Any ideas on where I'm going wrong with this?

  • Options
    HalfCatHalfCat ✭✭
    edited June 2012

    Ok, I got it to work. However I guess the way I got it to work is not the way it is supposed to be. Setting the time to the past didn't alter the cookie at all. That's why I set it to time()+1 which works as it expires a second after the user logged out...

  • Options

    This doesn't work for me (Armon's method) if vanilla is embedded. It does work if I visit my vanilla forum outwith the emdedded page... ie if I login I see the connecting, the vanilla cookies are created, go to my embedded forum NOT logged in browse to mysite.com/forum and I am logged in. Any pointers? Also I don't have a cookie Vanilla-FloodControl, I have one called Vanilla and one called Vanilla-Volatile.

  • Options

    I'm working on this as well.. and also don't have Vanilla-FloodControl

  • Options
    whu606whu606 I'm not a SuperHero; I just like wearing tights... MVP
    edited May 2017


    Probably better to start a new thread, rather than resurrect a 5 year-old one...

Sign In or Register to comment.