Joomla login automatically performed by external php script which is called through soap(nusoap) web service

[Shubhanshu Gupta]

"I have two joomla sites which are executed on different servers and I want to create a login functionality in such a way: when a user get login to any of one joomla site, then that user automatically login to another joomla site."

For this purpose, I have implemented the web service soap with nusoap library. The library is working fine and established the client-server connection. Using that connection, I call the joomla login functionality with credentials details of user from client site(say site1) and it call the joomla login function of another site(mean server site, say site2) successfully and return the user information back to calling site(site1) but the problem is that, when I refresh the page of server site(site2) to check login, then there is no login performed. It ask user for login while login function is already executed.

I have also checked the session table of server site(site2) where I got new entries for each call which performed by client site(site1) but not getting login for requested user.

Code on server file is:

<?php

require_once "lib/nusoap.php";

define( '_JEXEC', 1 );
define( 'DS', DIRECTORY_SEPARATOR );
define( 'JPATH_BASE', $_SERVER[ 'DOCUMENT_ROOT' ]. DS . basename(dirname(__DIR__)) );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

require_once( JPATH_BASE .DS. 'libraries' .DS. 'joomla' .DS. 'factory.php' );
require_once( JPATH_BASE .DS.'libraries' .DS. 'import.php' ); // framework
require_once( JPATH_BASE .DS. 'configuration.php' ); // config file
require_once ( JPATH_BASE.DS.'libraries'.DS.'joomla'.DS.'environment'.DS.'request.php');

jimport( 'joomla.user.authentication');
jimport( 'joomla.user.user');
jimport( 'joomla.environment.uri');
jimport( 'joomla.utilities.utility');
jimport( 'joomla.event.event');
jimport( 'joomla.event.dispatcher');
jimport( 'joomla.language.language');
jimport( 'joomla.utilities.string');
jimport( 'joomla.session.session');
jimport( 'joomla.plugin.helper');

$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
JPluginHelper::importPlugin('system');

function getLogin($userid,$psswrd)
{
$app = JFactory::getApplication();
$auth = & JAuthentication::getInstance();
$session =& JFactory::getSession();

$session->set('name', "value");
$ssn_name = $session->get('name');
$sessionDetails = array( 'State' => $session->getState(), 'Expire' => $session->getExpire(), 'Token' => $session->getToken(), 'FormToken' => $session->getFormToken(), 'Name' => $session->getName(), 'Id' => $session->getId(), 'getStores' => $session->getStores(), 'isNew' => $session->isNew());

$username = $userid;
$password = $psswrd;
$credentials = array( 'username' => $username, 'password' => $password );
$options = array();
$response = $auth->authenticate($credentials, $options);
if ($response->status == JAUTHENTICATE_STATUS_SUCCESS)
{
$response->status = true;
$_SESSION['__default']['session.client.browser']="Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/11.10 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19";
$_SESSION['__default']['registry']='JRegistry Object ( [data:protected] => stdClass Object ( ) ) ';

$sessionDetails['loginStatus'] = $loginStatus = $app->login($credentials, $options);

$_COOKIE['__utma']='45004194.1928719031.1380175958.1380175958.1380175958.1';
$_COOKIE['__utmz']='45004194.1380175958.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)';
$namee=$sessionDetails['Name'];
$_COOKIE[$namee]=$sessionDetails['Id'];;
$merge=array_merge($_SESSION,$sessionDetails);
$merge1=array_merge($merge,$_COOKIE);

return $merge1;
}
else
{
$response->status = false;
return 'testFalse';
}
}

$server = new soap_server();
$server->register("getLogin");
$server->service($HTTP_RAW_POST_DATA);

and Code on client file is:

require_once JPATH_SITE.'/nusoap/lib/nusoap.php';

$client = new nusoap_client("http://192.168.1.51/joomla_WebServer/nusoap-server/remoteLogin.php");
$error = $client->getError();
if ($error) {
echo "<h2>Constructor error</h2><pre>" . $error . "</pre>";
}

$result = $client->call("getLogin", array("userid" => "admin","password" => "root"));
//echo '<pre />Test Result = ';print_r($result);die;
if ($client->fault) {
echo "<h2>Fault</h2><pre>";
print_r($result);
echo "</pre>";
}
else {
$error = $client->getError();
if ($error) {
echo "<h2>Error</h2><pre>" . $error . "</pre>";
}
else {
echo "<h2>Books</h2><pre>";
echo $result;
echo "</pre>";
}
}

you can also test this problem on localhost by replacing ip address and you can download nusoap library using link as follows: http://kaz.dl.sourceforge.net/project/nusoap/nusoap/0.9.5/nusoap-0.9.5.zip

Can anyone help me to provide a right direction towards solution for this ASAP ???

[Gary Mort]

When a user "logs in" a session is created in the database AND the server sends the session id to the users web browser in a cookie - it is that cookie which allows the website to identify the user when they visit.

Your code generates a "log in" event and creates the cookie, but I don't see any method of getting that cookie TO the users browser.  Assuming you have 2 distinct sites, www.firstsite.com & www.secondsite.com then there is no way for one site to DIRECTLY set a cookie for the other site.

You can do it indirectly, however, by embedding an invisible image in the page.

In remoteLogin.php swap:

        $namee=$sessionDetails['Name'];
        $_COOKIE[$namee]=$sessionDetails['Id'];;
        $merge=array_merge($_SESSION,$sessionDetails);
        $merge1=array_merge($merge,$_COOKIE);

To

      $logonResults = array();

      $logonResults['authenticated']=true;

      $logonResults['sessionName']=$sessionDetails['Name'];

      $logonResults['sessionId']=$sessionDetails['Id'];;
      return $logonResults;

Then you will want to create a second script, nusoap-server/setUser.php

For the client code, you will need to embed on the user is redirected to, an image tag with the url of:

http://192.168.1.51/joomla_WebServer/nusoap-server/setUser.php?sessionName={$logonResults['sessonName']}&sessionId={$logonResults['sessonId']}

setUser.php should retrieve the $sessionId and $sessionName and use them to set a cookie with that name containing that id.

Afterwards, it should just output some small image file, a 1by1 transparent pixel is fine.

This is pretty much a really insecure method of doing this.  For extra security, add in some hashing of the values with shared keys between the systems or such.