Hi community, I´ve an Elgg 2.1 installation, and in the same domain and Elgg directory installation I´ve another php aplication:
/var/www/elgg/htdocs/ <--- Elgg
/var/www/elgg/htdocs/app1 <--- Php aplication
So the urls are:
www.domain.com/index.php <--- Elgg
www.domain.com/app1/index.php <--- Php aplication
I´ve loginrequired plugin installed to protect some urls, and I´d like to protect also some urls of the Php aplication like
www.domain.com/app1/admin/auth
But Elgg engine is not running in the php application so the urls are open to the world so, do someone know the way to restrict to logged in users the external php aplication urls?
Thanks in advance!
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Steve Clay@steve_clay

Steve Clay - 0 likes
- Generate a secure 128 bit key and embed it in both applications.
- In Elgg, on every request, generate a string like $msg = time() . "," . elgg_get_logged_in_user_guid(); and use HMAC (hash_hmac()) and the key to generate a $mac, which you'd append to $msg. Send that message as a cookie "Elgg_status".
- In your other application, you can explode the $time, $guid, and $mac and use HMAC and the shared key to verify the time and user GUID. What you won't know is if they were logged out due to inactivity, you'll just know when they were last verified. The good is that this is super lightweight so you can do it on every request.
- In your application, you can always take $_COOKIES['ELGG'], and make an internal HTTP request to Elgg to verify it responds as if you're logged in. But making server-side HTTP requests to Elgg is slow and effectively doubles the load on your server, so do this sparingly.
You must log in to post replies.Here's what I would do: