Skip to content
🍪 Allow to setup cookie token to authenticate user 🍪
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Update language and condition fix Jun 4, 2016 Update Mar 13, 2019
current_user_provider.rb Update current_user_provider.rb May 8, 2019
plugin.rb Update name Jun 4, 2016


A Discourse plugin to add an additional cookie token at the second-level domain, for site/s wanting to do cross-site credential management.

This essentially allows an install at to create a cookie token valid at *

The cookie contains basic information about a user and a hmac

Cookie content is encode in base64. After decode64 you will have :

    "sha256_d": "lROIoUjQVMv1vMThVCMbhS1YehFE4S3aMVKN9Rg2Z7M=",

The hmac is set with the secret key set in the admin panel

plugin settings

Check if user is logged ?

In your webiste at location or * follow this step :

  • get the cookie logged_in
  • urldecode the cookie
  • decode the cookie in base64 : logged_in
  • urldecode the cookie
  • set a sha256 of the data
  • compare the sha256 to check if user is connected :
if hmac === hmac(sha256, key, data):
    print 'user if logged'
    print 'user not logged'

Example in PHP

$cookie = urldecode($_COOKIE["logged_in"]);
$cookie = base64_decode($cookie);
$cookie = urldecode($cookie);

$user_infos = json_decode($cookie);

$array_hash = array(
    'username' => $user_infos->username,
    'user_id' => $user_infos->user_id,
    'avatar' => $user_infos->avatar,
    'group' => $user_infos->group

$hash_test = hash('sha256', json_encode($array_hash, JSON_UNESCAPED_SLASHES));

$test = hash_hmac('sha256',$hash_test,'QALS3FtxwKNj39tb');

if ($test !== $user_infos->hmac) {
    return 'user not logged';
You can’t perform that action at this time.