Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Integrating with a CMS - sessions logging in and out
I have been looking at how to integrate login sessions with a CMS. The general approach I would like to take to a 'push' type interface, where the CMS controls all authentication and privilege groups, and basically tells Vanilla what to do. This includes: - creating and updating users and their privileges - logging users in - logging users out The first item is easy enough - the CMS has direct access to the database and so can update user details. The second two parts are a little more tricky. Logging in is on the surface simple, just create two cookies with the user id and veritication key in them (assuming the CMS and forums share the same cookie paths and domains). Upon visiting the forums, the user will be magically logged in. There is a slight problem here - these two cookies are left lying around, albeit for the lifetime of the browser window only. IMO the cookies should be removed as soon as they they are read, that is, as soon as their data is transferred to the session. This leaves less of a danger of the wrong user being logged in if the current user logs out (of the CMS) and back in as a different user, without closing the window. Now, the CMS has a session and the forums have their own session. I've seen it suggested that the same session cookie is used by both, so when one logs out and clears the session, the other automatically becomes logged out too. This is a big problem when integrating with some systems - it may not be desirable to clear their session out. Think of an online shop, where a basket can be carried across a browsing session, regardless of how many times you log in and out. Similarly, the CMS can contain various display options that the user has set, that - again - is not dependant on whether the user is logged in or not. So - the bit where I am getting stuck. For the CMS to tell Vanilla to log the current user off, it needs to open Vanilla's session. Since it has a session of its own to deal with, this is not really possible. The way PHP works, only one session is active, and you cannot access anything in any other session without the right cookies being present. So, how do I deal with logging off? Ideally, if Vanilla stored its sessions in the database, then it ought to be possible to flick a flag in the sessions table from 'logged in' to 'not logged in'. Unfortunately Vanilla does not store sessions in the database. The CMS can just delete the session cookie that Vanilla uses. This, however, becomes a housekeeping nightmare, as there will be lots of sessions of logged-in users hanging around on the server, and that will never be logged out or cleared or closed, because the session cookie is gone, cutting the connection between the browser and the session completely. Even Vanilla does not delete this session cookie when the user logs out, so having a CMS do it probably is not desirable. So - any simple solutions? I basically want to do something in the back-end (a web service or HTTP call, or database update) that will log a user off Vanilla, given that the CMS can read the session cookie. -- Jason PS Just as I wrote this, I got to thinking that a curl call to some logoff page within Vanilla, with the session ID (pulled from the session cookie) passed as a GET parameter, just may work. I would need to ensure GET parameters are accepted as session IDs (at least just for the script that does the logoff). Any thoughts on this? Anyone else done this kind of thing before, or even replace the standard PHP session storage mechanism with a database table? Sorry it's such a long post.