RSS

LuxCal Forum

The place for questions, suggestions and news about the LuxCal Event Calendar

User:   Password:   Remember Me?   
LuxCal Forum / General / Support / How to use SSO
Posted:  23 Jan 2013 17:43   Last Edited By: Roel B.
Hi,

I'm playing with the latest luxcal and trying to figure out how to use SSO. I've read the Luxcal Installation and Configuration Guide and lead me to write the following PHP:


<?php
session_start();
$_SESSION['lcUser'] = 'test';
?>
<html>
<iframe src="http://myluxcal.com/"></iframe>
</html>


But on viewing the page it just tells me that I need to log in. The PHP above and my luxcal are on the same webserver.
Posted:  23 Jan 2013 22:07   Last Edited By: Roel B.
Hi there,
Basically your PHP code looks fine, but are you sure that . . .
- the statement session_start(); is executed before any output has been sent to the browser? This is a PHP restriction.
- an account was created (e.g. by the admin) with the username 'test'? If the user 'test' is unknown by the calendar, it cannot log in the user.
Roel
Posted:  25 Jan 2013 15:44   Last Edited By: Roel B.
Hi Roel,

That is the only code in my test.php file and yes the user exists.

From what I can see in the luxcal index.php the session variable lcUser is not set.
Posted:  25 Jan 2013 16:26
Hi,

Ok, the luxcal index.php names its session before calling session_start().

If I use session_name('LCS'.$calId) in my test.php script before session_start() then it still does not work.

If I comment out session_name('LCS'.$calId) in the luxcal index.php then it works.
Posted:  25 Jan 2013 16:40
Hi,

So with it working with the workaround I placed my script on a different server and it displayed the luxcal calender as the user.

So with security in mind am I right in thinking that maybe the user name we use to SSO should be long and alphanumeric to prevent someone else writing a similar php script?

Otherwise I can see people who should not have access to the calendar being able to access it if they guess the user name.
Posted:  25 Jan 2013 21:37   Last Edited By: Roel B.
Hi Azdour,
You are perfectly right. I added the session_name('LCS'.$calId) in the last version of LuxCal and this indeed conflicts with SSO.
Commenting it out is fine.

You're also right about short user names. I've introduced SSO based on user name or user email address several LuxCal versions ago and I regret the user name. I didn't want to take the user name out afterwards, because it could confuse users.
However, if you can, it would be much better to store the user email address in the variable $_SESSION['lcUser'], so . . .

<?php
session_start();
$_SESSION['lcUser'] = 'john.wayne@gmail.com';
?>


and then change line 99 in the index.php file into . . .

    $rSet = dbQuery("SELECT user_id FROM [db]users WHERE email = '{$_SESSION['lcUser']}'");

Ok, people can still guess an email address, but not as easy as a short user name.
Cheers,
Roel
Posted:  05 Feb 2013 15:08
I'm definitely finding the SSO very confusing since I'm not a programmer. In the documentation it has: $_SESSION['lcUser'] = <user name | user email>; but when I try $_SESSION['lcUser'] = <user email>; it generates an error.

In the forum it is shown as:

<?php
session_start();
$_SESSION['lcUser'] = 'john.wayne@gmail.com';
?>

From what I can find out with php, the <?php is like a <div> tag and the ?> the end of the tag
?>

If I used a fixed email address like the example given then wouldn't all events be created by that user, wouldn't a malicious user then be able to delete any or all events?

I'm trying to set it up so a number of LuxCal calendars can all use SSO to access the database of a single program so they can access any of them.

I have a test one I have set up here. http://www.wacidca.com/location/ontario/london/

Thanks
Dan
__________________
"Little Guy"
Some own motorcycles, others ride them.

Find great LuxCal examples by Schwartz at http://www.calendarforum.dk/index.html
Posted:  05 Feb 2013 19:39   Last Edited By: Roel B.
Hi Dan,

Just a short explanation:
Assumptions:
- the calendar is embedded in your web page
- your web page has a log in mechanism
- users that are automatically logged in in the calendar should already have an account in the calendar (e.g. created by the admin)
Explanation:
The code :
<?php
session_start();
$_SESSION['lcUser'] = 'john.wayne@gmail.com';
?>

has the following meaning:
<?php    means: Here starts the PHP code (this is not sent to the browser, it's just used to start the PHP processor on the server)
session_start();    tells PHP to start a PHP session.
$_SESSION['lcUser'] = 'rb@luxsoft.eu';    stores my mail address in the PHP session variable 'lcuser'
?>    tells the PHP processor 'end of PHP code' (from here onwards it's HTML again)
If hereafter the iframe with the LuxCal calendar follows, the calendar in it's turn will start a PHP session and PHP will retrieve the variable 'lcuser' with the value 'rb@luxsoft.eu' and the calendar will use this mail address to check if the user with mail address 'rb@luxsoft.eu' exists and if so, log in this user.

In other words:
The user logs in on the home page, and - via the mechanism described above - the home page stores the mail address of the currently logged in user in a PHP session variable; the LuxCal calendar picks up this mail address via the PHP session mechanism and logs in the user in the calendar.

Important: I guess this is not the right mechanism for your calendars, because it assumes that the users having SSO access to the calendar have already an account in the calendar created by the admin. I assume your users should have the possibility to register themselves (without depending on the admin), and once registered SSO should work for them.

I will reply to your email and see what can be done.
Cheers, Roel
Posted:  06 Feb 2013 04:25
Hi Roel,

Thanks for the explanation, it does help to clarify it.

You are correct in that as it is, it probably wouldn't work particularly for something that is nation wide if the admin has to create the user in the calendar. For example the person registers in my main program which creates their user account and then they try to log into the calendar but an account doesn't exist.

I do have a login module for the other program written by the developer that will use LuxCal. I can provide a link to the documentation if you like on how it works.

The only problem with it is you can only set one calendar for it to work with and I have multiple calendars that any registered user will need to access.

Dan
__________________
"Little Guy"
Some own motorcycles, others ride them.

Find great LuxCal examples by Schwartz at http://www.calendarforum.dk/index.html