Modx, is it possible to login by passing details in a hyperlink from a remote URL?

0
votes

I know this question defeats the object of having security in the first place, but you know how clients can be sometimes.

Basically the client has 2 sites, one built in modx and one in asp, they both have a login in place with a single user profile that every visitor gets to use.

They want users to be able to login to the asp site and then click a link to visit the modx site and be logged in automatically - I'm not even sure this is possible...

I've tried passing the same variables that the login form does to various pages but without any success, I'm just returned to the login page each time.

www.mywebsite.com/index.phpid=87&username=myusername&password=mypassword&returnUrl=%2F&service=login&Login=Login

Has anyone else tried anything similar before? I've got some code that would allow me to do something with php but with the referring site being built in asp which I have now knowledge of, I'm a bit stumped.

E2A:

I asked the same question on the Modx Forums and recieved this by way of reply:

I think the best way should be to use a third party login service such as OpenID. But this means changes to the site based on asp. If you want to do this with url parameters, don't use the "Login" snippet. "Login" needs input to authenticate a user. Make a custom snippet and get usage of the security/login processor (I assume you are running Revolution 2.2x). The snippet can be something like this:

<?php 
 $loginContext = $modx->context->get('key');
 $c = array(
   'login_context' => $loginContext,
   'username' => $_GET['username'],
   'password' => $_GET['password'],
   'returnUrl' => null,
   'rememberme' => false
 );
 $response = $modx->runProcessor('security/login', $c);
 return true;
?>

The snippet seems to work and returns a value of 1, but it's not logging me in, probably because I don't know what this means

get usage of the security/login processor

Where would I do that?

2
htmlhttploginmodx
Passing this as uncrypted text in GET/POST is very dangerous. You could instead expand the Modx login to have a remember-me option and use that. That way they don't have to login in again and again all the time. But multisite-login like you are talking about is difficult. It takes a loooot of time.OptimusCrime
Are both sites on the same server?okyanet
I know its dangerous, but the client opted to have a single login for ALL their users to share and theres no significant or personal info held on the site (its a how to list for hedge fund manager tax dodgers!) so as long as theyre happy so am I. Ill look into expanding the remember me option, at least then theyll just have to login the once. @okaynet, the sites are on completely different servers.Funk247

2 Answers

0
votes

I've done this before where the user logged into modx & I had a little SSO script fire on the modx after authentication event that would log them into a moodle site ~or~ create the parallel user in moodle if they did not exist. If you want them logging into the asp site first you are probably going to have to save the users credentials [from the asp login form] in a session variable and then re-route them through a page that will make the post request to the modx site ~ then route them back to wherever the ASP page was going. IF you are lucky.

0
votes

You can pass a signed token including a timestamp and a user ID in the URL, so the MODX site can verify that the token was produced by the ASP application, and that it was created recently. Never include the credentials, or any non-opaque user data in such a token, as the token will be visible forever in the browser history.