Login question

We are using as2 membership for managing membership in our WordPress website, but we are also developing a separate, non-wordpress web app in Ruby on Rails, and would ideally like to have a single sign-on shared between the website and the web app. Is this something you have ever seen done? I could make the rails app an OAuth provider or consumer if that helps. The sites are hosted on different servers so the webapp cannot access the as2membership database tables. Even if it coud, I am not sure this is the right solution. We’d be very grateful for any advice or suggestions on how to securely share credentials between the two. (BTW We don’t have much PHP experience to e.g. build custom WordPress plugin etc)
Many thanks!

Hi Carlo,

You could possibly do this. The info in Knowledge Base » Protecting Non-WordPress Content with s2Member should be useful. You WILL need to one of the following things to get this to work, though.

1) Integrate your other web app with the WordPress database, and use the logins and SALT key within WordPress to access user data. This would be the most advanced and user-friendly route.

OR

2) Add an API that would send user data to the other app whenever a user is created/edited/deleted within WordPress, and vice versa. I would try to stay away from this if you can, but it is a viable alternative.

Both of these solutions require an advanced knowledge of PHP and you’ll want to get a developer to do this for you if you don’t feel comfortable doing it yourself. Note that this is something that’s set up outside of s2Member. You’ll be integrating WordPress with your Ruby on Rails app, not s2Member. You may be able to find some info on setting this up in the WordPress forums.

Thanks for the heads up on this thread :-)

Regarding Single-Sign-On functionality…

s2Member integrates seamlessly with WordPress, so all of the WordPress framework functions like this one, which I would consider strongly in this type of integration, will work just fine for you. See: http://codex.wordpress.org/Function_Reference/wp_authenticate

So how might you go about this? I would create an MU plugin for WordPress that logs someone in using an encrypted username/password combo, and perhaps call upon that in a hidden image tag, or in some way that allows cookies to be set for the WordPress-driven portion of your site, upon logging into another area of your site, which maybe is NOT driven by WordPress.

Please create this directory and file:
/wp-content/mu-plugins/s2-hacks.php
(NOTE: these are MUST USE plugins, see: http://codex.wordpress.org/Must_Use_Plugins)
(See also: http://www.s2member.com/kb/hacking-s2member/)

<?php
add_action('init', 'single_sign_on_handler');
function single_sign_on_handler()
{
	if(!empty($_GET&#91;'ss_username'&#93;) && !empty($_GET&#91;'ss_password'&#93;))
		{
			wp_authenticate($_GET&#91;'ss_username'&#93;, $_GET&#91;'ss_password'&#93;);
			// The user is now logged-in, if the values were correct.
			
			// Let's display an image.
			header('Content-Type: image/gif');
			echo base64_decode('R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7');
		}
}
&#91;/hilite&#93;

Now... you might call upon this single-sign-on handler in your other applications,
by displaying a hidden image tag, that looks something like this.

&#91;hilite pre_code&#93;
<img src="http://example.com/wordpress/?ss_username=johnsmith&ss_password=password" width="1" height="1" />

Of course, this is a crude example. If I were setting this up, I would be ABSOLUTELY sure that the values of ss_username and ss_password were encrypted before displaying them in an IMG tag. You might also want to build in an encrypted hash, to ensure the data is coming from your own application, and is not a hacking attempt.