FE_USER_AUTH cookie across subdomains
Hi All,
I've started making some good progress developing for Contao and really enjoy it.
I've become stuck trying to allow a front end user to stay logged in across subdomains. The reason for this is that we have a multi-language site, each language on a different subdomain, and the checkout will be on another secure subdomain.
I've tried to extend FrontendUser so that I can override methods which call $this->setCookie, so that the domain can include subdomains.
i.e. change lines like this: (line 255)
Code:
$this->setCookie('FE_AUTO_LOGIN', $strToken, ($time + $GLOBALS['TL_CONFIG']['autologin']), $GLOBALS['TL_CONFIG']['websitePath']);
to:
Code:
$this->setCookie('FE_AUTO_LOGIN', $strToken, ($time + $GLOBALS['TL_CONFIG']['autologin']), $GLOBALS['TL_CONFIG']['websitePath'], ".mysite.com");
This seems to have problems of its own ( I have to override a lot of methods, from both FrontendUser and User)
And so far doesn't yet seem to be working as expected (not sure if its my dev environment setup)
But I can't help but wonder if there's another way to do this?
maybe a new TL_CONFIG setting?
$GLOBALS['TL_CONFIG']['cookieDomain'] = ".mysite.com";
and then the System.php file can be altered (line 513 onwards) (I don't think I can extend and replace System class through an extension?)
Code:
protected function setCookie($strName, $varValue, $intExpires, $strPath='', $strDomain=null, $blnSecure=null)
{
if (!strlen($strPath))
{
$strPath = '/';
}
$strDomain = $strDomain ? $strDomain : $GLOBALS['TL_CONFIG']['cookieDomain'];
setcookie($strName, $varValue, $intExpires, $strPath, $strDomain, $blnSecure);
}
Has anyone come across a solution to this?
Is it a totally bad idea to change System.php in this way?
Re: FE_USER_AUTH cookie across subdomains
Is it generally a bad idea to modify the core files, because they will be overwritten by the next update. Why don't you set the cookie in a HOOK like postLogin? Isn't that possible?
Re: FE_USER_AUTH cookie across subdomains
This looks like exactly what I should be doing.
Thanks for the pointer I will try that out
Re: FE_USER_AUTH cookie across subdomains
I have now tried using a hook to implement cross domain sign on looks like this:
Code:
Class AuthenticateAcrossDomains
{
public function loginAcrossDomains($User)
{
$this->setCookie('FE_AUTO_LOGIN', $User->autologin, ($User->createdOn + $GLOBALS['TL_CONFIG']['autologin']), $GLOBALS['TL_CONFIG']['websitePath'], '.mysite.com');
}
public function logoutAcrossDomains($User)
{
$this->setCookie('FE_AUTO_LOGIN', $User->autologin, (time() - 86400), $GLOBALS['TL_CONFIG']['websitePath'], '.mysite.com');
}
}
Good news, I can now log in across subdomains! by using the autologin feature of Contao (by setting FE_AUTO_LOGIN cookie domain to .mysite.com)
Bad news: I can't log-out across domains!
Reasons:
- logout code only logs out the cookie on the current domain. I have no access to the other domains FE_USER_AUTH cookies at the time I am logging out.
- I cannot overcome this because the postLogin hook occurs after the FE_USER_AUTH cookie is set (and is only set on the current domain) and therefore I cannot clear that cookie and set another one for all subdomains
- I have tried hacking it so that I set an additional 'FE_USER_AUTH' (".mydomain.com") on postLogout but Contao doesn't work on any of the other sub domains (FrontendUser->authenticate() line:228 $this->reload() keeps getting called)
Really scratching my head now. Seems like I have to alter/override System->setCookie or extend FrontendUser.
Any other suggestions?
thanks
Re: FE_USER_AUTH cookie across subdomains
Ok so I think I have found the best solution.
Extend FrontendUser
Code:
class MyFrontendUser extends FrontendUser
{
/**
* Set a cookie across subdomains if the $strDomain isnt already set
* (non-PHPdoc)
* @see system/libraries/System::setCookie()
*/
protected function setCookie($strName, $varValue, $intExpires, $strPath='', $strDomain=null, $blnSecure=null)
{
$strDomain = (is_null($strDomain) ? ".mydomain.com" : $strDomain );
parent::setCookie($strName, $varValue, $intExpires, $strPath, $strDomain, $blnSecure);
}
}
However theres a lot more to it than that. Becuase FrontendUser is initialised by the framework before I can instaniate MyFrontendUser. ....
wrote this far too late last night, maybe go back to the drawing board ;o)