By todd_dailey@yahoo.com on

I have an internal application at my site which presents a web-based form, then prompt the user to log-in. If successful, it sets a session cookie with an MD5 contained, which is then used for single sign-on to any other enabled site.

I have written a custom drupal authentication module (using the yahoo module as a guide, thanks, it was easy!) that checks the cookie. It works, and all the user has to do is log in using theirname@oursite.com and provide any password (doesn't check) and it validates against the cookie and lets them into drupal.

What I would like to do is have drupal check the cookie and auto-log them in without them having to actually type in their name again. I was looking at just a brute-force POST of their username using curl in my user module, but that seems a bit ugly and I was wondering if there was a better strategy.

We've been working with Drupal for two weeks putting up a departmental portal, and it's a fantastic solution for us, thanks!

Comments

Dries’s picture

Dries commented

Your Drupal site (website A) can't get access to the cookie of the other site (website B): when you visit website A your browser won't send the cookie of website B. If it would, any site would be able to read and modify any other site's cookie(s).

todd_dailey@yahoo.com’s picture

todd_dailey@yahoo.com commented

thanks for the reply. Actually, the cookie reading is working just fine within my custom authentication module. This authentication is for an Intranet application, and I can read the cookie since I am originating from the same domain. (The cookie is set to the root domain of mysite.com.)

That part is working just great. What I'm trying to do is put the cookie checking logic, which is working fine in the auth module, somewhere else before the login box actuallly displays.

todd_dailey@yahoo.com’s picture

todd_dailey@yahoo.com commented

I got this working just fine and I thought I would outline how I did it.

After banging my head for a day trying to hook into drupal's authentication system nicely, I went to a more brute-force appoach of editing index.php. My needs are kind of specialized, we have an in-house application that I don't control that works like this:

- I do an include of a PHP library from our IT staff in the index.php that checks to see if the user's authentication cookie is set

- If it isn't, the application from IT logs the user in and sets the cookie that is then used for authentication

- The IT app then redirects the user back to my Drupal index.php

Now, what I did with drupal is I modified Index.php right after the common.inc include with this:

if (!$user->uid {
   [check the validity of the cookie]
   [if the cookie is valid, then set the variables for the edit array (passed from my login app)]
      $edit[name] = $username;
      $edit[pass] = $password;
      $edit[destination] = "/";
      $edit[remember_me] = "0";
      user_login($edit);
      watchdog("user", "$name-Successful Corporate Authentication: status-code $corpStatus");
      return 1;
  }
}

I hope that gives you the general gist of what I did. I also wrote a custom module based on yahoo.module that authenticates the user based on them coming in from a username@mycompany.com address.

The last thing I did was add a line to user_logout in user.module that destroys the authentication cookie.

Anyway, I don't know if anyone else needs this sort of single-sign on function but feel free to contact me if you need any more tips.