Jump to content

johncoolio

Approved members
  • Content Count

    2
  • Joined

  • Last visited

  1. I see a few people have requested this and I want to do this as well. I see one possible code injection point: The OA_Start() function in 'www/admin/config.php' has this line of code: if (!OA_Auth::isLoggedIn() || OA_Auth::suppliedCredentials()) { Right after that line, I plan to inject an include to my own PHP file somewhere on the system. That file will initiate a redirect to our own login interface. Since I don't care about what level a user operates at, I'm just going to copy the existing 'sessiondata' blob from the 'rv_sessions' database table for full admin rights. Upon successful SSO sign in, I'll set the "sessionID" cookie to the same value that I also insert into the 'rv_sessions' table (with the aforementioned data) prior to redirecting back to the admin interface. This way, I only need to modify one line of code whenever I go to upgrade the system and login is transparently tied to our own systems. Support for SSO systems from Revive would be a simple matter of doing a check at a location for a PHP file that normally doesn't exist. However, if it exists, execute that file and exit. If it doesn't exist, then just do the built-in login system thing. It would be up to the integrator to generate the correct information for the database and set a valid browser cookie. They'd also be mostly on their own as far as the login and permissions systems go. I'm fine with that.
×
×
  • Create New...