Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Integrating with a CMS - sessions logging in and out

edited March 2009 in Vanilla 1.0 Help
I have been looking at how to integrate login sessions with a CMS. The general approach I would like to take to a 'push' type interface, where the CMS controls all authentication and privilege groups, and basically tells Vanilla what to do. This includes: - creating and updating users and their privileges - logging users in - logging users out The first item is easy enough - the CMS has direct access to the database and so can update user details. The second two parts are a little more tricky. Logging in is on the surface simple, just create two cookies with the user id and veritication key in them (assuming the CMS and forums share the same cookie paths and domains). Upon visiting the forums, the user will be magically logged in. There is a slight problem here - these two cookies are left lying around, albeit for the lifetime of the browser window only. IMO the cookies should be removed as soon as they they are read, that is, as soon as their data is transferred to the session. This leaves less of a danger of the wrong user being logged in if the current user logs out (of the CMS) and back in as a different user, without closing the window. Now, the CMS has a session and the forums have their own session. I've seen it suggested that the same session cookie is used by both, so when one logs out and clears the session, the other automatically becomes logged out too. This is a big problem when integrating with some systems - it may not be desirable to clear their session out. Think of an online shop, where a basket can be carried across a browsing session, regardless of how many times you log in and out. Similarly, the CMS can contain various display options that the user has set, that - again - is not dependant on whether the user is logged in or not. So - the bit where I am getting stuck. For the CMS to tell Vanilla to log the current user off, it needs to open Vanilla's session. Since it has a session of its own to deal with, this is not really possible. The way PHP works, only one session is active, and you cannot access anything in any other session without the right cookies being present. So, how do I deal with logging off? Ideally, if Vanilla stored its sessions in the database, then it ought to be possible to flick a flag in the sessions table from 'logged in' to 'not logged in'. Unfortunately Vanilla does not store sessions in the database. The CMS can just delete the session cookie that Vanilla uses. This, however, becomes a housekeeping nightmare, as there will be lots of sessions of logged-in users hanging around on the server, and that will never be logged out or cleared or closed, because the session cookie is gone, cutting the connection between the browser and the session completely. Even Vanilla does not delete this session cookie when the user logs out, so having a CMS do it probably is not desirable. So - any simple solutions? I basically want to do something in the back-end (a web service or HTTP call, or database update) that will log a user off Vanilla, given that the CMS can read the session cookie. -- Jason PS Just as I wrote this, I got to thinking that a curl call to some logoff page within Vanilla, with the session ID (pulled from the session cookie) passed as a GET parameter, just may work. I would need to ensure GET parameters are accepted as session IDs (at least just for the script that does the logoff). Any thoughts on this? Anyone else done this kind of thing before, or even replace the standard PHP session storage mechanism with a database table? Sorry it's such a long post.


  • judgejjudgej
    edited November 2008
    I just tried that last thing I mentioned, it it worked great, so now I have my logout function. In summary: In the CMS, do this: // Get settings include('appg/settings.php'); include('conf/settings.php'); // Get session name $session_name = (!empty($Configuration['SESSION_NAME']) ? $Configuration['SESSION_NAME'] : session_name()); // Get session ID $session_id = $_COOKIE[$session_name]; // Call up the custom logout script with the session sent as POST data $curl = curl_init($Configuration['BASE_URL'] . "autologout.php"); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, array($session_name => $session_id)); curl_exec($curl); curl_close(); Then the custom script 'autologout.php': <?php // Get settings include('appg/settings.php'); include('conf/settings.php'); // Get session name $session_name = (!empty($Configuration['SESSION_NAME']) ? $Configuration['SESSION_NAME'] : session_name()); // Get session ID if (empty($_GET[$session_name]) && empty($_POST[$session_name])) exit('No session supplied'); if (!session_id()) { session_name($session_name); session_set_cookie_params(0, $Configuration['COOKIE_PATH'], $Configuration['COOKIE_DOMAIN']); session_start(); } session_destroy(); echo "Logged out"; ?> And that's it. The above will allow a CMS to log the current user out of Vanilla, without messing around with its own session. It does so by destroying the session. If you had used the two cookies (cookieone and cookietwo) to log in, then you also need to ensure they are also removed, otherwise the user will get logged right back in again. I have added the following after line 118 of libaray/People/People.Class.Authenticator.php to deal with that: // [email protected] 2008-11-23 // Once we have grabbed these details, discard them. We don't need them again, since the details // will be transferred to the session. setcookie($this->Context->Configuration['COOKIE_USER_KEY'], "", time() -42000, $this->Context->Configuration['COOKIE_PATH'], $this->Context->Configuration['COOKIE_DOMAIN']); setcookie($this->Context->Configuration['COOKIE_VERIFICATION_KEY'], "", time() -42000, $this->Context->Configuration['COOKIE_PATH'], $this->Context->Configuration['COOKIE_DOMAIN']); There may be some rough edges that need rounding off here, for example I am not too familiar with the contexts. I'm just assuming there is a default settings file and an over-riding settings file. Remember that second script (autologout.php) is called up directly from the CMS, so the HTTP request will not contain any of the cookies that would be sent by the browser to track the session. Similarly, calling the script will not alter any of the session cookies within your browser. The sesssion ID will continue and be retained, but because the session data has been destroyed on the server, the server forgets that you are logged in. Hope that helps someone. -- Jason
  • If it is any use to anyone, I have created a module for the Xaraya CMS that synchronises users, roles, and logs you in and out of Vanilla as you log in and out of the Xaraya CMS. I'm sure the techniques could be applied to any other CMS with a little modification.

    The module can be obtained from the Xaraya monotone repository ( I'll create some snapshots and give access to my own subversion version too, if there is interest.

    -- Jason
  • I am interessted yes. I emailed you about that - got some Questions.
  • Sorry - just noticed these posts. I'm not sure I received either of your e-mails.

    -- Jason
  • any idea if the cms and the vanilla forum are on separate servers?

Sign In or Register to comment.