summaryrefslogtreecommitdiff
path: root/plugins/session/README.md
blob: 6fccc82696a7f40be0f1fc0794209193588d02de (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

Session Auth
============

The session plugin is special in that it does not connect to a specific CMS.
Rather, it allows password-less XMPP authentication based on an existing web
session. This is particularly useful to web-based clients.

The control flow is like this:

* A user authenticates using the normal website login system, and receives
  a session cookie.

* The user opens the associated web chat client.

* Instead of presenting a second login form, the client sends an HTTP request
  to a special public facing script in ejabberd-auth-php (./www/rpc.php).

* The script sees the session cookie, generates a one-time login valid for
  a short time (60 seconds by default), stores it and sends it to the client.

* The client uses this key as a password on ejabberd. Since ejabberd is configured
  to use ejabberd-auth-php, the main application receives the key and checks it.
  If it exists and hasn't expired yet, it confirms the authentication and the user
  is logged in without a password.

Installation
------------

First, configure the database connection in `config.php` by filling in the host,
database, user, password and table name.

Then, install the table by running `php plugins/session/install.php`.

Finally, link the `www/rpc.php` file in your website root somewhere within
your forum's cookie domain and path (most forums set the path to `/`, so the
domain should be sufficient).

Usage
-----

Whenever you need to authenticate to ejabberd, make a POST request to the URL
that points at `www/rpc.php` with `salt` set to a reasonably random 16 character
value.

If the client making the POST request has a valid session for the site you're
authenticating with, then you will receive a JSON-encoded response as follows:

    `{"user":"<user>","secret":"<secret>","time":"<time>"}

From the point in `<time>` to however long you configured the timeout
(60 seconds are recommended), `<secret>` will be accepted as a password
by ejabberd for `<user>` on any domains you set up to use the session
plugin.

Security Considerations
-----------------------

The one-time key is transmitted in clear, and can be intercepted if the connection
is not encrypted. But the same channel is already used to transmit the password
when logging in, as well as the session cookie.
generated by cgit v1.1 at 2024-05-18 19:39:57 +0000