[wp-hackers] Single sign-on with Wordpress & Mediawiki

[Travis Snoozy]

On Wed, 31 Oct 2007 15:33:20 -0400, Callum Macdonald
<lists.automattic.com at callum-macdonald.com> wrote:

> Travis Snoozy wrote:
>
> Sounds like an interesting approach.
> 
> How does the client application (say WordPress) determine if the user
> is logged in from their cookie?

In WordPress' case, the plugin simply forces a logged-in state with a
call to wp_set_current_user(). The plugin determines logged-in state by
asking the authorization provider whether or not the user is logged in.
How this determination is made (PHP session, in-cookie info, etc.) can
be changed, without affecting how the plugin works at all.

> Is it via a PHP session? If it is, I'm guessing the applications
> would need to be on the same server to share PHP sessions.

Yes, but the implementation could be changed. A nonce or other
time-sensitive, one-use token would also be sufficient for this; it's
just a simple matter of coding. ;)

> I'd be interested to see the code.

Sure thing; I've put the (rough, rough, 10-grit, I hacked it up
in a single sleepless night as a proof of concept and haven't
touched it since rough) prototype up[1]. I'm going to be tied up with
*ahem* "important business"[2] this month, but I'm happy to field
questions.

The prototype does handle:

* Account creations
* Password changes (to the "master" account, via WordPress)
* Logins
* Logouts
* WordPress

It doesn't (yet) handle:

* Password changes (from the "master" account to other products)
* Account deletions
* Account management frontend (i.e., independent of any other products)
* Bootstrapping
	* Initial account import/merging
	* Initial "unified" admin account setup
* Applications other than WordPress (I'm only familiar with WP's
plugin architecture & codebase ;)


-- 
Travis 

In Series maintainer
Random coder & quality guy
<http://remstate.com/>

[1] http://remstate.com/SingleAuth-POC.tar.bz2
[2] http://nethack.devnull.net/