I’m currently programming a single sign-on mechanism for my WordPress site to allow my company’s helpdesk system to authenticate against WordPress.
In order to allow this to happen I’m making use of wp_signon() to sign the user in if they aren’t already signed in. Here’s a simplified version of what I’m doing:
<?php
define('WP_USE_THEMES', false);
require("wp-blog-header.php");
if(!is_user_logged_in() && $_POST["log"] == "") {
//redirect to login form that submits to this PHP script
exit(0);
}
if(!is_user_logged_in() && $_POST["log"] != "") {
$creds = array('user_login' => $_POST["log"], 'user_password' => $_POST['pwd'], 'remember' => $_POST["rememberme"]);
$user_info = wp_signon($creds, false);
if(!is_a($user_info, 'WP_Error')) {
$username = $_POST["log"];
wp_set_current_user($user->ID, $username);
wp_set_auth_cookie($user->ID, true, false);
do_action('wp_login', $username);
} else {
write_log(ERROR, "Error authenticating: " . $user_info->get_error_message($user_info->get_error_code()));
}
$user_info = wp_get_current_user();
/* Code from here uses user attributes to generate and encrypt a single sign-on token */
?>
The problem I’m facing is that even after calling wp_signon(), wp_set_current_user(), wp_set_auth_cookie() and the login actions, the user still isn’t logged in. I get their $user_info object, but they aren’t logged into WordPress, so later on when they follow a secured link back from the support system they can’t get to the page and have to log in again (thus defeating the purpose of single sign-on).
In addition, I’ve tried replacing the whole wp_signon() section with auth_redirect() and that does successfully log the user into the site, but I’m finding they get redirected to the profile page, even though the URL has a query parameter to redirect them back to my script.