Thread: roundcube autologin

Yes...
I have the same question.
This seems like a very common scenario. I know this is child's play for the pro's. Can you guys give us a hint?

Download MyRoundcube plugins bundle (see footer) and check out the code of logout_redirect. In the ajax_login folder there is an example how to login from outside Roundcube to get a valid Roundcube session. It should not be a problem to modify it catch login data from where ever you like.

I've found a simple and helpfull hint here.

greez

Hi,

Just wanted to share my success with this after wondering about it for a long time.

Our existing web site allowed people to log in and included a link to RoundCube - where they had to log in again. I wanted them to be able to just log in once. Ideally, I also wanted to avoid sending their login credentials in a URL (or even in POST data).

Here's what I did. Apologies for the large amounts of PHP code - I'm not sure how to upload files.

1. Modified the link on our existing web site so that it included an 'autologin' directive, the user's ID number and a hash of the date, user's e-mail address and password. This ensures that even if an auto-logon URL is captured, it will stop working the following day and never work again. A small caveat is that if a user opens the page at 23:59 and clicks on the e-mail link at 00:01, the auto-login will fail, but this is quite unlikely in our situation.

PHP Code:

$uid = [ get user ID (a number) from our own database ];
$pw = [ get user password from our own database ];
$auth = md5( date('Ymd') . $pw );    // Authorisation token will only work today
echo "<a href=\"link-to-roundmail?_autologin=1&uid={$uid}&auth={$auth}\">Staff e-mail</a>"; 


2. Modified plugsin/autologon/autologon.php to read the user data directly from our existing MySQL table, as long as the authorisation hash was correct:

PHP Code:

class autologon extends rcube_plugin
{
  public $task = 'login';

  function init()
  {
    $this->add_hook('startup', array($this, 'startup'));
    $this->add_hook('authenticate', array($this, 'authenticate'));
  }

  function startup($args)
  {
    $rcmail = rcmail::get_instance();

    // change action to login
    if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
      $args['action'] = 'login';

    return $args;
  }

  function authenticate($args)
  {
    if (!empty($_GET['_autologin']) && !empty($_GET['uid']) && !empty($_GET['auth'])) {

      $rcmail    = rcmail::get_instance();
      $db        = $rcmail->get_dbh();
      $result    = $db->query("SELECT `email`,`pw` FROM `our_user_table` WHERE `id` = '{$_GET['uid']}'");
      $data        = $db->fetch_assoc($result);
      if ( !empty($data) )
      {
        $email    = $data['email'];
        $pw        = $data['pw'];
        $date    = date('Ymd');    // YYYYMMDD (no time since this will increase the likelihood of an authentication failure)
        $expect    = md5($date . $pw);
        $auth    = $_GET['auth'];
        if ( $auth == $expect )
        {
          $args['user'] = $email;
          $args['pass'] = $pw;
//        $args['host'] = 'localhost';  // not sure why this was needed
        }
      }
    }
  
    return $args;
  }

} 


3. Added 'autologon' to the array of active extensions in config/main.inc.php:

PHP Code:

// List of active plugins (in plugins/ directory)
$rcmail_config['plugins'] = array('globaladdressbook', 'autologon'); 


(We were already using the Global Address Book plugin.)

That's it!

will's solution works only if their system stores plain text passwords. RC uses IMAP for authentication, so that plain text passwords must be passed back by authentication hooks. ISPConfig3 hosting control panel uses a strong encryption when storing passwords, so that it seems impossible to decrypt them to be able to use these hooks. gabneo's mentioned lilnk suggests making password travel back and forth between server and browser. On one hand it is an extreme security risk, on the other hand it works only if user has javascript turned on. Any other idea on how to emulate this bloody RC session?

I forget the exact details but our system does not store the passwords in plaintext.

This is exactly what I want to do! I'm trying to implement this, but am totally new in this RC world, and still pretty inexperienced with PHP. I think what I'm having trouble understanding, is how you access your SQL users? Specifically:

PHP Code:

      $rcmail    = rcmail::get_instance();
      $db        = $rcmail->get_dbh();
      $result    = $db->query("SELECT `email`,`pw` FROM `mailbox` WHERE `id` = '{$_GET['uid']}'");
      $data        = $db->fetch_assoc($result); 


where you can see I've stuck in my table name "mailbox" for my database, called "postfix". Am I doing this right? Also, has this been implemented on RC .6? That's what I'm working with over here.

Best,
Greg