Hi,
Just wanted to share my success with this after wondering about it for a long time.
Our existing web site allowed people to log in and included a link to RoundCube - where they had to log in again. I wanted them to be able to just log in once. Ideally, I also wanted to avoid sending their login credentials in a URL (or even in POST data).
Here's what I did. Apologies for the large amounts of PHP code - I'm not sure how to upload files.
1. Modified the link on our existing web site so that it included an 'autologin' directive, the user's ID number and a hash of the date, user's e-mail address and password. This ensures that even if an auto-logon URL is captured, it will stop working the following day and never work again. A small caveat is that if a user opens the page at 23:59 and clicks on the e-mail link at 00:01, the auto-login will fail, but this is quite unlikely in our situation.
$uid = [ get user ID (a number) from our own database ];
$pw = [ get user password from our own database ];
$auth = md5( date('Ymd') . $pw );
// Authorisation token will only work today
echo "<a href=\"link-to-roundmail?_autologin=1&uid={$uid}&auth={$auth}\">Staff e-mail</a>";2. Modified plugsin/autologon/autologon.php to read the user data directly from our existing MySQL table, as long as the authorisation hash was correct:
class autologon extends rcube_plugin
{
public $task = 'login';
function init()
{
$this->add_hook('startup', array($this, 'startup'));
$this->add_hook('authenticate', array($this, 'authenticate'));
}
function startup($args)
{
$rcmail = rcmail::get_instance();
// change action to login
if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']))
$args['action'] = 'login';
return $args;
}
function authenticate($args)
{
if (!empty($_GET['_autologin']) && !empty($_GET['uid']) && !empty($_GET['auth'])) {
$rcmail
= rcmail::get_instance();
$db
= $rcmail->get_dbh();
$result
= $db->query("SELECT `email`,`pw` FROM `our_user_table` WHERE `id` = '{$_GET['uid']}'");
$data
= $db->fetch_assoc($result);
if ( !empty($data) )
{
$email
= $data['email'];
$pw
= $data['pw'];
$date
= date('Ymd');
// YYYYMMDD (no time since this will increase the likelihood of an authentication failure)
$expect
= md5($date . $pw);
$auth
= $_GET['auth'];
if ( $auth == $expect )
{
$args['user'] = $email;
$args['pass'] = $pw;
// $args['host'] = 'localhost'; // not sure why this was needed
}
}
}
return $args;
}
}3. Added 'autologon' to the array of active extensions in config/main.inc.php:
// List of active plugins (in plugins/ directory)
$rcmail_config['plugins'] = array('globaladdressbook', 'autologon');(We were already using the Global Address Book plugin.)
That's it!