need help combining

[publisacman]

Hi , im completely new to php and mysql. I have 2 websites running on the same server and im just wondering if there is a way that when someone logs into one of the websites that it will automatically log them in the other website as well so that they don't have to log in again. Maybe if you can point to some good beginner reading material or something that would be great. 

[requinix]

Unless they're using the same domain name, you'll have to set up a sort of information-sharing scheme where one website can tell the other about a user. Basically,

1. User is on website A

2. You/the user decides to visit website B and they need to be logged in

3. Website A "calls" website B (for example, with a POST request) and passes along information about the user

4. Website B stores that information somewhere then returns (a) whether the user was accepted, and if so (b) a special, unique, one-time URL

5. Website A redirects the user to that URL

6. Website B now uses that special URL to look up the information it stored earlier and log the user in

[Jacques1]

And what prevents me from using that information-sharing system to fetch a one-time URL for an arbitrary user and take over their account?

 

publisacman, I strongly recommend you refrain from the idea, especially when you're completely new to PHP and MySQL. Many developers can't even implement a single log-in system. The chances of getting two systems with a complex single-sign on protocol right are close to zero. What will probably happen is that you break the authentication mechanism of both sites and end up with no security at all.

 

In fact, if your websites are so closely coupled that you feel the need to sync the user accounts, you should think about having one website with a single authentication system and different subdomains.

Edited November 6, 2014 by Jacques1

[publisacman]

nice thats really helpful! The 2 websites are 1. xbmc-video-server where users can log in to watch videos but did have much settings for administrating users ( mostly need to restrict access to certain pages for different users groups) so downloaded and installed userfrosting (www.userfrosting.com) its a system already coded and easy to restrict access to pages. Idealy i could just strip all the login and user stuff from xbmc-video-server but that seems complicated, i want users to login through userfrosting's system and then click a link to go to xbmc-video-server page (if they have access they will see the link) then go to xbmc-video-server without having to be logged in again. 
 

both "sites" use the same domain and are actually also installed on the same server. Could they share a database in mysql and login to both at once?  

[publisacman]

technically im just trying to combine them

[requinix]

It's all pretty easy and obvious, having users share login information: query the database, check credentials, blah blah blah... except when it comes to the cookies. The problem is that you can't set a cookie for a different domain. If you moved the xbmc site to, like, xbmc.userfrosting.com, then this whole thing gets much simpler.

 

Regarding what Jacques said, you would have to be careful about how you implemented what I gave. At second glance it's not as brief as I thought so it's not as obvious that I was only giving the overview to the process. You basically have to make an API to your site exactly like how other sites might - it's just that you only have one website using that API. Along with it you need to deal with an authentication system (API keys and the like), input validation, and all that kind of stuff. The level of security varies, from simple to paranoid, but you have to have something for it.

[Jacques1]

If I understand the OP correctly, the two applications are in fact behind the same domain.

 

In that case, you just have to put the authentication logic from one application into the authentication logic of the other application. For example, while you create the session for the one service, you'd also create a second session for the other service. Doing everything twice may be cumbersome, but it's the easiest and most secure solution. If you merge the two systems, there's a huge risk of introducing bugs and breaking the security.

 

How complicated this project will be depends on the software, of course. 

Edited November 6, 2014 by Jacques1

[requinix]

If they are the same site (same domain name) then it's just a matter of setting the session cookie...

 

Getting into the xbmc-video-server code, that could be tricky. It uses the Yii framework to do logins, and like all frameworks you can't use just a part of it.

The most straightforward way would be to do a POST request to the login page, with the right credentials, except you'd have to know their password. Then receive the cookie they try to set and pass it through to the user and redirect.

You could also write something (eg, a new controller in the app) that would allow you to force a login for any user without having to know the password, but you'd have to be very careful about making sure it's not possible for anyone else to trigger that code.