Login to wordpress site from my site

Question

I have a website which is being developed using Zend Framework. I also have a Wordpress site placed on the same server. Is it possible to login to Wordpress site using any (e:g AJAX call) when i login to my Zend site.

Reason:

I have a link to word press blog on Zend site, and when i click on that link, it takes me to Wordpress login page.

I want the user to be taken to word press blog page link as a logged in user.

I researched a lot on this, but not finding the correct path.

Thanks.

Answer 1

Using AJAX between 2 different domain names is forbidden, you can use the Curl function in PHP. http://bit.ly/RBGgfp

Answer 2

There is a security concern over your problem. How to pass the credentials from one website to another without actually passing them…

You need some sort of authorisation process which will tell WP that the user which is being logged in to WP is actually the same user which is already logged to Zend. For this purpose you can't just pass username and passwords in an Ajax call from ZF to WP, because everybody will be able to get users' passwords from the cached JS source code. Also you can't pass just username in ajax call because then everybody could make such ajax call to sign in as someone else.

In general you should limit passing of authorisation through client side requests (Ajax) as much as possible.

One way of doing this is a mechanism used by many social networks (ie Facebook) called OAuth. Facebook uses special tokens for authorisation and no credentials are passed between the Facebook and a website which uses Facebook connect mechanism. Also Facebook uses PHP's curl function to make cross server calls behind the curtain so no trace is left on client side about the authorisation process.

You can but you don't have to use OAuth but it will be a good experience gain if you do.

Another problem you are facing is that probably your ZF and WP use different authorisation cookies on client side. So when authorising user on ZF website you need to make also Ajax call to WP page responsible for login to make sure proper cookies are set.

Summa summarum the process flow will be something similar to this (assuming that user account is already created on both sites):

1. Login user on ZF site.
2. From ZF make curl call containing user id (for example) to WP page which will return some sort of randomly generated token (if user with given ID exists).
3. Once your curl call receives the token from WP, generate the ZF web page with JS which makes Ajax call to WP (How to send Ajax call to WP is explained here: http://codex.wordpress.org/AJAX_in_Plugins ) This Ajax call should contain something like md5 hashed user id and the token.
4. Now on the WP side, WP will receive ZF's Ajax call with the hashed value. So, check if this value is the same as the value after hashing user id and token which WP returned before (in step 2). If yes then login user on the WP site.

Now, because we don't send user password from ZF to WP (and we don't know it on WP side either – because it's encrypted) you can't use wp_signon to sign in user. But you can use wp_set_auth_cookie which for this particular purpose should be sufficient.

It is a rough explanation but I hope it will be of help.

PS wp_login is deprecated and you should avoid using it.

Also wp_login action doesn't call wp_set_auth_cookie which can be a reason why your user didn't appear as logged in a first place.

Try your solution with wp_set_auth_cookie in it. I'm saying this at the end so you don't miss the security concerns above.

Answer 3

Since both sites are on the same server, presumable you can access files form both Zend and WordPress. When you user is loggin into Zend based site, you can add a call to load basic wordpress files, and then use the function wp_set_auth_cookie() to log the user into wordpress.

require_once 'wordpress-directory/wp-load.php';
wp_set_auth_cookie( $wp_user_id );

In your users table on your Zend site, you could have an additional column wp_user_id to store the wordpress user id's for your users, so that you know what user id to pass the wp_set_auth_cookie() function.

I wrote up a blog article in a bit more general terms if you want to check it out as well here