Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
93 lines (75 sloc) 2.76 KB
/* On login requests (this should be determined on the remote host) eg. user visits a URL locally
on the control panel /login-enduser
1. Make a request in the background to session-transfer.php?api-key=<key>&username=<account>
If account is a valid email, no 'access' array needs to be POST'ed in this request
otherwide POST an access array
eg. array('mail' => array('', ''))
eg. array('domain' => array(''))
2. The 'session' id returned by this file should be used to redirect the user
Location: session-transfer.php?session=<SESSION>
Simple example usage (be aware that a session is always created on the end-user regardless if the link
is visited or not.
function halon_generateLink($username, $domains)
// change these settings
$enduser = '';
$apikey = 'secret'; // settings.php
$get = http_build_query(
'username' => $username,
'api-key' => $apikey
$access = http_build_query(
'access' => array('domain' => $domains)
$opts = array('http' =>
'method' => 'POST',
'header' => 'Content-type: application/x-www-form-urlencoded',
'content' => $access
$context = stream_context_create($opts);
$result = json_decode(@file_get_contents($enduser.'session-transfer.php?'.$get, false, $context));
if (!$result || !isset($result->session))
return null;
return $enduser.'session-transfer.php?session='.$result->session;
$link = halon_generateLink('User Name', array('', ''));
echo '<a href="'.$link.'">End-user</a>';
define('BASE', dirname(__FILE__));
require_once BASE.'/inc/core.php';
require_once BASE.'/inc/utils.php';
header('Content-Type: text/plain');
if (isset($_GET['session']))
if (isset($_GET['api-key']))
die('STOP! You should NOT include the api-key in this request!');
$session_name = $settings->getSessionName();
if ($session_name)
header("Location: index.php?page=index");
if (!isset($_GET['api-key']) || $settings->getAPIKey() !== $_GET['api-key'])
die(json_encode(array('error' => 'Invalid API-key')));
if (!isset($_GET['username']))
die(json_encode(array('error' => 'No username given')));
$_SESSION['timezone'] = isset($_GET['timezone']) ? $_GET['timezone'] : 0;
$_SESSION['username'] = $_GET['username'];
$_SESSION['source'] = 'external';
$_SESSION['access'] = isset($_POST['access']) ? $_POST['access'] : array('mail' => array($_GET['username']));
$_SESSION['authenticated'] = true;
$_SESSION['navbar_hide'] = $settings->getSessionNavbarHide();
die(json_encode(array('session' => session_id())));
You can’t perform that action at this time.