My client explicitly does not want to use ‘multisite’ wordpress option.
My client has a main site and 199 sub sites (other domains).
A user has usermeta with meta key: branch_id
As an example (completely made up names):
Main site: kero.com
Sub site: uka.com (and many others)
Both domains have SSL certificates.
The end goal is as following:
When you log in to the main site (kero.com). I have build a plugin which checks which branch ID is attached to the user. It goes like this:
function myplugin_auth_signon( $username, $password ) {
$user = get_user_by('email', $username);
$user_id = $user->ID;
$key = 'branch_id';
$single = true;
$branch = get_user_meta( $user_id, $key, $single );
if($branch == 'number') {
//magic happens here!
$cookie = "cookie.txt";
$postdata = "log=" . $username . "&pwd=" . $password . "&wp-submit=Log%20In&redirect_to=" . $url . "wp-admin/&testcookie=1";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url . "wp-login.php");
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 0);
curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt ($ch, CURLOPT_REFERER, $url . "wp-login.php");
curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt ($ch, CURLOPT_POST, 1);
$result = curl_exec ($ch);
curl_close($ch);
//This is from the answer of the link. On the end url the users get redirected from wp-admin to my-account
header('location: ' . $url . 'wp-admin/');
die();
//after logging in redirect the user to uka.com/my-account
}
add_action( 'wp_authenticate', 'myplugin_auth_signon', 30, 2 );
So I build all kind of stuff, I used this link on the //magic happens here:
Click here.
It does not work as intented. It keeps me on the main website, but when I click on ‘store’ it is in the sub site. When I go to my-account (where I should be logged in) i’m not logged in anymore.
I wrote some other code:
$response = wp_remote_post( $url, array(
'method' => 'POST',
'timeout' => 45,
'redirection' => 5,
'httpversion' => '1.0',
'blocking' => true,
'headers' => array(),
'body' => array(
'username' => $username,
'password' => $password
),
'cookies' => array()
)
);
I don’t really know how to use this for my personal goal. I can echo the results, but then get a big array of headers etc. And when I surf to the subsite: I’m not logged in… So it just does not keep sessions/cookies.
TBH: I’m really a beginner on the whole session/cookie/security stuff. Most of the time I build in WordPress or Laravel and most of the security stuff is already handled then.
Thanks everyone who is taking the time to read this.
UPDATE: Added extra cUrl code!
3 Answers
You can not set cookies form site A that will be applicable on site B, therefor your “login by proxy” scheme will not work, and can not be made to work. In addition storing passwords in plain text is just a big no-no.