Skip to content
🍪 Allow to setup cookie token to authenticate user 🍪
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Update language and condition fix Jun 4, 2016
README.md Update README.md Mar 13, 2019
current_user_provider.rb Update current_user_provider.rb May 8, 2019
plugin.rb Update name Jun 4, 2016

README.md

discourse-cookie-token-domain

A Discourse plugin to add an additional cookie token at the second-level domain, for site/s wanting to do cross-site credential management.

This essentially allows an install at forums.example.com to create a cookie token valid at *.example.com

The cookie contains basic information about a user and a hmac

Cookie content is encode in base64. After decode64 you will have :

{
    "username":"CapitaineJohn",
    "user_id":2,"avatar":"/user_avatar/forum.example.com/bonclay/{size}/117_1.png",
    "group":"[VIP]",
    "sha256_d": "lROIoUjQVMv1vMThVCMbhS1YehFE4S3aMVKN9Rg2Z7M=",
    "hmac":"e40575e0f828bcf91b5e30c174dfa4399c72a5acbb32b2a483f8fce42798b1ac"
}

The hmac is set with the secret key set in the admin panel

plugin settings


Check if user is logged ?

In your webiste at location www.domain.com or *.domain.com follow this step :

  • get the cookie logged_in
  • urldecode the cookie
  • decode the cookie in base64 : logged_in
  • urldecode the cookie
  • set a sha256 of the data
  • compare the sha256 to check if user is connected :
if hmac === hmac(sha256, key, data):
    print 'user if logged'
else:
    print 'user not logged'

Example in PHP

$cookie = urldecode($_COOKIE["logged_in"]);
$cookie = base64_decode($cookie);
$cookie = urldecode($cookie);

$user_infos = json_decode($cookie);

$array_hash = array(
    'username' => $user_infos->username,
    'user_id' => $user_infos->user_id,
    'avatar' => $user_infos->avatar,
    'group' => $user_infos->group
);

$hash_test = hash('sha256', json_encode($array_hash, JSON_UNESCAPED_SLASHES));

$test = hash_hmac('sha256',$hash_test,'QALS3FtxwKNj39tb');

if ($test !== $user_infos->hmac) {
    return 'user not logged';
}
You can’t perform that action at this time.