Single Sign-On, How?

[Trekkan]

I have several difference systems in place currently, all of them are (or will be) synced using the same password hashes, etc.

 

However, what I'd like to do is if someone signs on in System A, it also signs them on in Systems B, C and D.

 

Right now, I see no way that I can automatically sign someone into WHMCS from an outside source. Is this true, or is there a way to do this?

 

Thanks for any assistance you can provide!

 

-Troy

[WHMCS John]

It's totally possible, you'd probably want to use a combination of the API and action hooks: http://wiki.whmcs.com/Developer_Resources

[Trekkan]

John,

 

I've been looking into this more and don't see how I can do it. I need my users to be able to sign on from various points.

 

Right now, the only way I can see to login to WHMCS is to do a post to the login.php form. I can't do this as the users password I get is already MD5 encrypted. If there was an API for logging into WHMCS, then I could use that, but I couldn't find one. Am I just being blind? =)

[Trekkan]

I'd still like to know if there's a way to auth sending the MD5 hash of the password (more secure that way) instead of plain text, but regardless, I'm trying out some code to auto login and well.. It's just not working.

 

What's not working? I don't know. CURL I guess, however I don't get any data returned, no errors, etc.. so I'm just not sure what the deal is. Below is a copy of my text code (please ignore all the junk, as I said, it's test code).

Of course, edit the first 3 lines to suite your testing values.

 

<?
$login_page_url = $forum_root."www.domain.com/whmcs/dologin.php";
$postfields["username"] = "emailaddress";
$postfields["password"] = "passwowrd";

unset($ch);
$ch = curl_init();
echo "1: ".curl_error($ch)."<br>";
curl_setopt($ch, CURLOPT_URL, $login_page_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 100);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
//curl_setopt($ch, CURLOPT_MUTE, 0);
//curl_setopt($ch, CURLOPT_FRESH_CONNECT, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
echo "2: ".curl_error($ch)."<br>";
$cdata = curl_exec($ch);
echo "3: ".curl_error($ch)."<br>";
curl_close($ch);
//print_r($postfields);
echo "<hr>$cdata<hr>";
die("WHCMS LOGIN");
?>

 

CURL is enabled on my server (and works fine normally), So.. yeah. No idea.

 

Thanks for any help you can provide!

[laszlof]

It would be easier to do the login on WHMCS, and then use the ClientLogin actionhook to log the user into the other systems.

[Trekkan]

It would be easier to do the login on WHMCS, and then use the ClientLogin actionhook to log the user into the other systems.

 

Easier yes, but not in order to accomplish what we're looking to do. =)

[laszlof]

Well, You'd need to inspect what exactly is done when you login to WHMCS. I'd imagine you could start by outputting the $_SESSION and $_COOKIE variables to see exactly what is set when the user is logged in. Once you have found this, you should be able to set those session and cookies in your login script.

 

Furthermore, if the other systems are on another domain, you're likely going to run into issues doing it this way.

[Trekkan]

Well, You'd need to inspect what exactly is done when you login to WHMCS. I'd imagine you could start by outputting the $_SESSION and $_COOKIE variables to see exactly what is set when the user is logged in. Once you have found this, you should be able to set those session and cookies in your login script.

 

Furthermore, if the other systems are on another domain, you're likely going to run into issues doing it this way.

 

Yeah, that's what I'm doing now. Still failing though. heh

 

Basically, I'm just using cURL to hit the dologin.php page. But either a cookie or a session value isn't getting set correctly. Typically, since I'm doing the same thing as would happen normally, I'd think it'd work, but it's not.

 

Well, it somewhat works. I can login now, and the first page I get to, works fine. But anything I click on after that, I'm logged out. Clearly I'm not doing something that needs to be done, just not sure exactly what.

 

I'm still fooling around with it, but could use some help!

[laszlof]

Are you saving the cookie data when you use curl?

[Trekkan]

Are you saving the cookie data when you use curl?

 

I've tried that, with limited success. As I said, I can get it to login, but not save the session, so the next link you click, you're not logged in. Here's a copy of my test code (with many things commented out as I've been trying various things).

 

<?
$postvars["username"] = "emailaddress@gmail.com";
$postvars["password"] = "password";
$postvars["token"] = "yourinstallationtokenfromadmincp";
$posturl = "http://www.domain.com/whmcs/dologin.php";

session_start();
$strCookie = 'PHPSESSID=' . $_COOKIE['PHPSESSID'] . '; path=/';
session_write_close(); 

$lcon = curl_init();
curl_setopt($lcon, CURLOPT_COOKIE, $strCookie ); 
curl_setopt($lcon, CURLOPT_URL, $posturl);
//curl_setopt($lcon, CURLOPT_HEADER, 1); 
curl_setopt($lcon, CURLOPT_RETURNTRANSFER, 1); 
//curl_setopt($lcon, CURLOPT_VERBOSE, 1); 
curl_setopt($lcon, CURLOPT_POST, 1);
curl_setopt($lcon, CURLOPT_POSTFIELDS, $postvars); 
curl_setopt($lcon, CURLOPT_FOLLOWLOCATION, true); 
curl_setopt($lcon, CURLOPT_COOKIESESSION, true); 
//curl_setopt($lcon, CURLOPT_COOKIEFILE, "cookiefile.txt");
curl_setopt($lcon, CURLOPT_COOKIEJAR, "cookiefile.txt");
//curl_setopt($lcon, CURLOPT_COOKIE, session_name() . '=' . session_id()); 

$ldata = curl_exec($lcon);
if(curl_error($lcon)) {
	echo $url." - ".curl_error($lcon)."<br>";
}

setcookie("WHMCSUID", $_SESSION["uid"],0,"","", false, true);
setcookie("WHMCSPW", $_SESSION["upw"],0,"","", false, true);

echo "<hr>$ldata<hr>";
curl_close($lcon);
print_r($_SESSION);


?>

[tinderbox]

Are the cookies necessary? I've had luck just assigning the proper 'uid' and 'upw' values to the session. It logs me in and keeps me logged in, though I'm not yet sure for how much longer than the hour I tested it. (I'd assume the "Remember Me?" log in checkbox is managed with cookies, but I can't quite make out how.)

[tinderbox]

Yeah, I just dumped the $_COOKIE array and even when I checked the "Remember Me?" box, I can't seem to figure out what the cookies do.

[Trekkan]

Are the cookies necessary? I've had luck just assigning the proper 'uid' and 'upw' values to the session. It logs me in and keeps me logged in, though I'm not yet sure for how much longer than the hour I tested it. (I'd assume the "Remember Me?" log in checkbox is managed with cookies, but I can't quite make out how.)

 

I have no idea. I did check the session variables though and both of those values are set, at least on the one page. Then for whatever reason, they aren't set when clicking links on the page. No idea what might be set that is killing the sessions vars.

 

Could be something to do with them being assigned to the wrong sessionID or something I suppose, so it get's blasted... not sure how to tell if I have the correct sessionID, or which one is the correct one.

[tinderbox]

Alright, I think I've got the logic worked out:

- a normal session controls login status

- either the session variables are explicitly set by logging in or an outside script, or...

- WHMCS checks for the presence of valid WHMCSUID and WHMCSPW cookies and then creates the necessary session variables.

 

That seems to be how it's working for me on my end. If it's not for you, I'd imagine something's killing the session variables (like you said).

 

You might take a look at this. It was pretty informative for me.