Using Elgg for user authentication in external site?

I posted earlier about my current project, in which Elgg is being added as a new feature set to our primary site.

There are many functions planned for our primary site that will require the user to be logged in. We need to be able to use their Elgg profile for authentication.

What is the simplest way to, in our external site, detect if the user has a current Elgg session? I just need to get login status, username and/or user guid. We need to verify they are logged in, then show a standard "you are logged in as ____" message in the external site tools.

I have been reviewing web services, but the documentation leads me to think that is more than I need for this step.

Since our primary site is on the same server as Elgg, is there a simple way to grab a session cookie? In reviewing my browser data I see an "Elgg" cookie but it appears to be encoded.

Thanks for your time.

Paul

----------------------
edits: related resources:

1. http://docs.elgg.org/wiki/Session_security
2. https://github.com/Tachyon/Elgg-Web-Services

  • If both are in the same domain, you can get data from the Elgg cookie. Have a look at the Elgg engine/sessions.php . You can decode the cookie. There are elgg API calls to get user details from the cookie. Another option for you is to load the elgg engine in to your application. Then you can use all the elgg API's with in your application. But it can create conflicts, if elgg and your application shares common functions. Webservice API can also be used. There are few plugins floatting here for that. You can find some in the git repo also.

    We have used all these ways for different applications. The selection of method depends on how well written your external application is.

    Or you can set elgg as master and the external application as slave, then allow login and registration through elgg only. When a user is logging in create a sessions for external app also.

  • This paste is a crude, but illustrative way to extract the user's GUID from the DB session given their cookie value. Since engine/start.php uses many globals, including the session, it's usually impossible to include it in most other frameworks.

  • Thank you.

    A simple PHP script was able to read my "Elgg" cookie with $elggstatus=$_COOKIE["Elgg"];  but neither base64_decode() nor urldecode() turn it into usable characters. My search for documentation on encoding method used by Elgg has not been successful.

    I located elggfolder/engine/lib/sessions.php (I am using Elgg 1.8.3) and have been reading through it. So far, using system-wide search tools, I can only find where the 'elggperm' cookie is saved, and it is stored as a MD5 hash. There appears to be some cookie-related javascript code but so far I can't find the "Elgg" cookie.

    I found another related discussion similar to my need: http://community.elgg.org/pg/forum/topic/802655/sharing-session-with-an-external-php-application/ and am in the process of reading it.

  • Steve,  Thank you. I was composing while you posted. I'll look at your code.

  • Steve,  Thank you very much! That snippet gave me exactly what I needed at this phase.  Here is the code I created, minus my PHP PDO data access coding: http://pastebin.com/SThRzQCK