Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.


I just installed a fresh install of vanilla with hopes of integrating SSO with WHMCS. I followed instructions here:

I keep getting an array of different errors, like no password for user, signature. Both sites use SSL and I read some users had trouble with SSL. Any help on this will be appreciated.



  • Also with this setup. It is not possible for users to logout of vanilla.

  • I have a feeling it could be related to characters in username like " @ "

  • Have you tried setting charset header?

    grep is your friend.

  • Logout delete the cookie if same domain or use a redirect pipe.

    grep is your friend.

  • I checked and it looks like it is already utf-8. I think I may be missing something about setting this in the headers too.

  • will you can record network traffic in your browser to inspect the headers.

    grep is your friend.

  • It is showing as utf-8 in headers. I flushed cache/cookies and I changed the $Secure = 'true'; to sha1 as mentioned in another post here and making progress as I now can connect to an account. It asks to verify password : " Enter your existing account password. "

    I then get: The password you entered is incorrect.

    Any ideas? Should I try MD5 of keep it set to Sha1?

  • Btw that example is using an outmoded way of connecting to he database and it is not clear what encoding it is using or the data is store as. You should probably pre simplify user names for vanilla anyway. I would avoid the space for one. Maybe camel case the First an last names.

    That example is altogether a bit crude.

    grep is your friend.

  • Thanks for the tips!

    May be you can spot something wrong with my php code:


    require_once 'functions.jsconnect.php';;
    // 1. Get your client ID and secret here. These must match those in your jsConnect settings.
    $clientID = "######";
    $secret = "################";
    $user = array();
    if ($_SESSION['uid']) {
    $result = mysql_query("SELECT id,email,firstname,lastname FROM tblclients WHERE id=".(int)$_SESSION['uid']);
    $data = mysql_fetch_array($result);
    $user['uniqueid'] = $data['id'];
    $user['name'] = $data['firstname'] . " " . $data['lastname'];
    $user['email'] = $data['email'];
    // 4. Generate the jsConnect string.
    // This should be true unless you are testing. 
    // You can also use a hash name like md5, sha1 etc which must be the name as the connection settings in Vanilla.
    $secure = sha1; 
    WriteJsConnect($user, $_GET, $clientID, $secret, $secure);


    $pagetitle = $_LANG['clientareatitle'];
    $_SESSION['loginurlredirect'] = "";
    $templatefile = "login";
  • get rid of the ?>

    grep is your friend.

  • $secure = 'sha1';

    grep is your friend.

  • x00x00 MVP
    edited January 2015

    having a global session like $_SESSION['uid'] defeats the point of an authentication provider. It will work though but not the best practice.

    grep is your friend.

  • x00x00 MVP
    edited January 2015

    what is the contents of dbconnect.php?

    grep is your friend.

  • require("");

    why are you doing this?

    grep is your friend.

  • why do you need another login anyway? You already have a framework you want to connect to right? Use that login.

    grep is your friend.

  • Thanks. This is helping but still not resolved. I do not get an error now, but it does not sign me in either.

  • Yes, how can I do that?

  • RESOLVED. After checking pretty much everything I found the issue was caused by my user group permission roles settings. The users I was testing this with did not have permission to login, hence the authentication error.

    Thanks for your help x00

  • @ptoone said:
    Yes, how can I do that?

    Don't need to do anything. If the framework you are linking already has a login use that.

    As much as possible standalone, script are not the way to go, when working with frameworks. You want to limit the entry point to your site.

    grep is your friend.

  • Is there a setting somewhere that I change to enable this?

Sign In or Register to comment.