WordPress Auto-Login
WordPressis a great blogging engine. It’s flexible, scalable, and easy to tweak/configure to integrate into an existing PHP site. However, if you have an existing site with available user authentication and management capabilities, getting WordPress to accept those credentials (in a single sign-on fashion) can be a bit of a challenge.
Before we proceed, I should note that there are a number of available plugins that enable WordPress to integrate with some of the popular content management systems out there. Our requirement is a bit different however. We want to bypass WordPress’ authentication mechanism all together and have users login through the main portion of the site. In fact, in a well integrated site, the interface should make navigating between WordPress pages and the rest of the site seamless to the user. Our goal is to write a WordPress plug-in that will automatically authenticate a user who is already logged into the parent site (and, consequently, grant the user access to edit the blog’s content). All other users will have the rights of an unregistered visitor.
In my setup, the main site has role-based permissions and the WordPress setup only has one account for each role (i.e. admin, editor, user etc…). The plugin first checks the role of the user logged in to the main site and then simulates a WordPress login anytime the user navigates to the blog. You should be able to customize this method for your own needs.
function auto_login() {
if (!is_user_logged_in()) {
//determine WordPress user account to impersonate
$user_login = 'guest';
//get users password
$user = new WP_User(0, $user_login);
$user_pass = md5($user->user_pass);
//login, set cookies, and set current user
wp_login($user_login, $user_pass, true);
wp_setcookie($user_login, $user_pass, true);
wp_set_current_user($user->ID, $user_login);
}
}
add_action('init', 'auto_login');
Additional notes and caveats for the attentive reader
- There is a
wp-include/pluggable.phpfile that defines all the functions that you can override and hook into. The WordPress API documentation is not very thorough so you may need to review the actual code. - WordPress uses a double MD5 hash of the password to authenticate the user. In the database, the password is stored as a single hash. We need to hash that password again before passing it into the
wp_login()function (and set the third parameter to indicate that the password is already hashed). Obviously hard coding the actual password would be a big no-no.
We did all this work to login but what about logging out? We have several options. First, we can call WordPress’ logout method which is wp_clearcookie()from the main site. The drawback to this approach is that we need to include all the WordPress libraries into our main site for this to work (too much unnecessary overhead IMHO). The other approach is to not use cookies at all thus alleviating the need to logout. To do this we simply remove the call to wp_setcookie()in out plugin and override the auth_redirect()function to do nothing. This works because we impersonate the user on every page load and the only WordPress code that checks the cookie was in auth_redirect()until we got rid of it. Another side effect of this is that un-authenticated WordPress users will no longer be taken to the WordPress login page (but we didn’t want that anyway).
Update 6/4/08: There were a few changes to the WordPress API as of version 2.5 and some of the functions I used above became depreciated. The API documentation has also improved. A better way to implement the auto_login() function above is as follows.
function auto_login() {
if (!is_user_logged_in()) {
//determine WordPress user account to impersonate
$user_login = 'guest';
//get user's ID
$user = get_userdatabylogin($user_login);
$user_id = $user->ID;
//login
wp_set_current_user($user_id, $user_login);
wp_set_auth_cookie($user_id);
do_action('wp_login', $user_login);
}
}
add_action('init', 'auto_login');
I’ve been searching for this auto-login feature for a while. Thanks for the help!
Thanks a ton for the tip
I have been trying to figure out the auto login feature for a while. I am not a php programmer at all. The website I developed that I want to tie into the blog is in flash. I want to auto login in the background when a link is clicked from the Flash website.
I looked at your code above and it looks interesting but how do I implement it?
Thanks,
Rob
Rob, Save the auto_login() function in a .php file and place it in your WordPress plugins folder. You will have to enable the plugin using the WordPress configuration page. Good Luck.
Thanks. I am still confused slightly. I can pass variables from Flash to a PHP page. I want to send your plugin the User Name and Password from Flash.
I am still not able to figure how to make that work with your script.
Thanks,
Rob
Hello there,
I was just wondering, will this plugin work if the main site that the users are using to login is a .NET site? if not what shall I do to get it to work?
Thanks,
Kaly
Kaly,
The plugin will work as long as you can pass the desired user name and password to it. You can do this from .Net, Java, Flash or even CGI although its much easier if you use PHP. For a .Net site, why not use a native blog engine like BlogEngine.Net?
Thanks for the reply Leon,
Well I’m not a PHP programmer, I’m a .NET developer, and I’m doing that for a client of mine, the reason why I can’t use BlogEngine is simply because the client wants wordpress!
Anyway, I’ll try this plugin, and I’ll let you know if it works or not
Thanks!
Kaly
I’m trying to implement this feature,
though somehow it gives errors,
I don’t have the password though, but it sets the cookies that are required,
yet they are somehow different.
My script is however not included in the wp scripting, its a side-script
to auto logon a user trough Active Directory.
wp_cache_init();
$user = get_userdatabylogin($sUserName);
$user_id = $user->ID;
wp_set_current_user($user_id, $sUserName);
wp_set_auth_cookie($user_id);
do_action(’wp_login’, $sUserName);
It does not generate any errors, and gives a cookie, but the cookie is incorrect.