external authorization and rememberme

  • Resolved dmeiser

    (@dmeiser)


    13 years, 8 months ago

    Any auth mechanism requiring the user to navigate away from WordPress (eg – OpenID, Facebook Connect, Google Profile, etc) causes POST variables to be lost. Therefore, when wp_signon is called, POST is empty and rememberme is non-existent.

    I’ve checked both Janrain Engage and the OpenID provider. Neither implement rememberme and, as a result, only remember a login for the length of the session. I’ve submitted a patch for the OpenID provider that implements this, but it’s very cludgy.

    With that said, it seems that it would be better to have one of the following options:

    1. change wp_set_auth_cookie to a filter
    2. have wp_signon check alternate locations
    3. call wp_signon with pre-hashed passwords contained in the credentials array

    Here’s further detail:

    Number 1:

    The quickest method, it seems, is to do exactly what I did – tack the value of rememberme onto a return URL (or store it in a SESSION variable). This necessitates overriding wp_set_auth_cookie. The only line from my patch that is different from wp_set_auth_cookie as found in pluggable.php is line 861.

    This is why I say a filter would be better. This way I can still override wp_set_auth_cookie with my function, determine if rememberme is set, and then call wp_set_auth_cookie as found in pluggable.php.

    Number 2:

    This might be a terrible idea for security. I haven’t thought it through from a security standpoint. But, it still allows for a simpler solution that overriding wp_set_auth_cookie in order to change a single line.

    Number 3:

    Since OpenID, Facebook Connect, et al, don’t require the user to enter a password on our WordPress site, we never have the password in plaintext. This is problematic because wp_signon currently expects a plaintext password.

    What I could have done was to send the user’s pre-hashed password and then hook the wp_authenticate filter before wp_check_usernamepassword to see if the password was pre-hashed and return the user if the hashes matched. If the password wasn’t hashed, I would call wp_check_usernamepassword and return that value.

    This is fine, but there are 2 problems with this method:

    1. it seems like a lot of overhead to hook wp_authenticate just to get the value of rememberme
    2. bug #15473 blocks this

    Summary

    So, my question is, what would people think of any of these options? Is there a better way to accomplish this?

Viewing 1 replies (of 1 total)
  • Thread Starter dmeiser

    (@dmeiser)

    Nevermind this post.

    What I actually want to have happen is to do this with pluggable functions:

    my_override_function( var1, var2 ) {
    if ( some_other_var ) var2 = some_other_var;
    wp_pluggable_function( var1, some_other_var );
    }

Viewing 1 replies (of 1 total)
  • The topic ‘external authorization and rememberme’ is closed to new replies.