Hi,
I'm making a plugin to automaticalli authenticate users from another app into Elgg. I created a plugin that read the other app cookie and database. It hooks the function from mod/own_auth/start.php
register_elgg_event_handler('init','system','own_auth_init');
and uses this code to make the auth:
if ($user = authenticate($login,$pass))
$result = login($user);
It works OK, but when I try to make any action with an auto-authenticated user, the system shows a 'token mismatch' error and no action is made.
What is missing in the own_auth_init function?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Kevin Jardine@kevin
Kevin Jardine - 0 likes
- Kevin Jardine@kevin
Kevin Jardine - 0 likes
- Salva Maine@salvamaine
Salva Maine - 0 likes
You must log in to post replies.Elgg checks the session_id to ensure that actions are only called from within Elgg.
The session ID is needed even if the user is not logged in.
See the validate_action_token() code in engine/lib/actions.php
So your options are to avoid actions or to make sure that an Elgg session is created.
In your case it looks like a session id should be available, but perhaps the cookie is set only for the Elgg specific URL path?
I think I'm confusing the auth system by loging every time the plugin is loaded. I'm going to include a condition into the plugin to login only when it's necessary.