login customization

abs · 03-31-2006, 12:02 AM

Hi, I am Abhinav Kaiser and I am in charge of designing a website for our church. We recently purchased easy php calendar ($49.98 package). I am using wordpress as the main engine. I would want to integrate the easy php calendar login along with wordpress so that the person (non technical) who would be making the changes doesn't have to login in two separate places. I am using the ioncube package by the way.

Is there anyway that I could get the non encrypted version of the package so I can integrate easy php calendar with wordpress?

thanks,

Abhinav

ve9gra · 03-31-2006, 07:02 AM

The script is only distributed in encrypted form.

The way to integrate it is to create a generic user account for the Calendar. Then you create a page that checks the Wordpress authenticaton to make sure a user has the rights to access the calendar. In that page, if authentication is successful, you redirect the user to the events manager using the generic user account you previously created.

This FAQ explains how to form the URL when redirecting - Bypass the login screen?

thall · 04-07-2006, 12:33 AM

ve9gra,

I'm working with Abhinav on this project and I'm a little confused.

I understand this part:

"...create a generic user account for the Calendar. Then you create a page that checks the Wordpress authenticaton to make sure a user has the rights to access the calendar. In that page, if authentication is successful, you redirect the user to the events manager using the generic user account you previously created."

My question is,
I read the instructions in this article: Bypass the login screen?

which say to pass the credentials to the script like this:

/events/index.php?name=demo&pwd=demo

it's my understanding that if we do a redirect in php then the querystring information that contains the username and password would be sent in plain text down to the browser and the browser will then send a request to the server to ask for the page to redirect to.

Isn't this a big security hole?

or am I missing something...?

https/SSL?

ve9gra · 04-07-2006, 06:40 AM

As long as you don't use the admin account, the only thing they'll have access to is to post/edit/delete events. For added security you can even enable XSS protection in the Setup Manager but be aware that it will mangle URLs that contain parameters.

What some users have done is generate a md5 hash of the password and used that (manually adding it to the config.inc.php) to obscure the password and to make it almost impossible to just remember what the password is.

I'm looking into another possibility and will let you know the results.

ve9gra · 04-07-2006, 07:20 AM

Here's a way so that you can use POST variables instead. The page doesn't even show at all, it barely flickers white and then it goes to the "Logging in..." page. This is only an example of how to implement it. You will have to make it work for your installation...

To test it out, just pass "?login=auto" to the page and it will automatically use the username and password specified. If the login GET variable is not passed, then it will just display a login form that redirects to your calendar.

Code:

<?php

// Replace this section with your own authentication code

if(isset($_REQUEST['login'])) $login = $_REQUEST['login'];
if(isset($login)) {
        if($login=="auto") {

// End replace

// CODE FOR AUTO LOGIN

// Don't forget to change the **username** and **password**
// values in the form below. Also change the form's action to 
// work with your installation and file locations.
?>
<html>
<head>
<title>Login Test</title>
<SCRIPT TYPE="text/javascript">
function init()
{
        document.autologin.submit();
}
//-->
</SCRIPT>
</head>
<body onload="init()">
<form name="autologin" action="events/" method="post">
<input type="hidden" name="name" value="**username**">
<input type="hidden" name="pwd" value="**password**">
</form>
</body>
</html>
<?php
        }
} 

// END CODE FOR AUTO LOGIN

// The rest is only for an example and some testing

else {
?>
<html>
<head>
<title>Login Test</title>
</head>
<body>
<form action="events/" method="post">
Username: <input type="text" name="name"><br>
Password: <input type="password" name="pwd"><br>
<INPUT type="submit" value="Send"> <INPUT type="reset">
</form>
</body>
</html>
<?php
}
?>

foaad · 11-14-2006, 11:46 AM

Geravis,
I am using the demo version 6 and it seems like it uses seession ids vs. user and pass in urls; http://www.mysite.com/calendar/event...e711a7638f67b1
How should I deal with passing authentication through automatically in such a situations?

ve9gra · 11-14-2006, 04:46 PM

I beleive that Brian's answer to your other post will get you on the right track.