I've been integrating moodle to work with some of our own course tools. Each of these tools requires the student to login. We've decided that there should be just a single login, and that should be moodle's. Now when loggin in, moodle needs to tell each of these modules that the student has logged in.
To do this, each of our modules implements a module_login($username, $password) function, which is called from login/index.php
It's not a problem to do this for one module, but as the list increases, it becomes cumbersome.
What I'm proposing is that we call a single method: login_all_modules($username, $password);, which in turn iterates through all registered modules, calling ${modulename}_login if such a function exists (I do not know enough PHP to know if this is possible).
Similarly, ${modulename}_logout would be called from login/logout.php, *before* clearing $SESSION and $USER
Thoughts?
Philip
Currently, the onus is completely on the modules to check whether the user is logged in - I think you'll find it's a lot easier that way.
All you need to do is include these two lines at the top of your code, then you know $USER is a valid user:
require("../../config.php"); // Moodle's config
require_login();
Unless I've misunderstood and you really need a hook to execute code in your module on login....?
All you need to do is include these two lines at the top of your code, then you know $USER is a valid user:
require("../../config.php"); // Moodle's config
require_login();
Unless I've misunderstood and you really need a hook to execute code in your module on login....?
Well, these external programs are also session based, and therefore require a login and a logout. There will be many ways of getting into the program, not all of which will be through moodle. However, authentication should be done only through moodle.
So... this is what I do currently:
Scenario 1:
User first logs into moodle.
Moodle logs user into external application via http, application returns a session_id to moodle that is to be used whenever user wants to go from moodle to application.
When user clicks on application's module, module redirects to: app_url?SESSID=$apps_session_id
Scenario 2:
User goes directly to some page within external application.
Application determines that user is not logged in, and redirects the user to moodle's login page.
User logs into moodle, and consequently, steps from Scenario 1 take place.
I also have a provision for jumping back to the calling application when this happens, but this is part of the application's module.
Scenario 3:
User logs out of moodle, moodle should log user out of application so that directly typing the url of the application should again force a login.
Hope it's clear now. Unfortunately our system is not available on a public website, so I cannot point you to it.
Basically, I've had to call my login code in login/index.php and logout code in login/logout.php. It might make sense to call the module_login/module_logout functions for all modules if they exist - that way, other session based external applications can work to.
If all that was required was a login, then the resource module would work just fine.
Thanks,
Philip
PS: I do use the code you posted in my callback from the application.
So... this is what I do currently:
Scenario 1:
User first logs into moodle.
Moodle logs user into external application via http, application returns a session_id to moodle that is to be used whenever user wants to go from moodle to application.
When user clicks on application's module, module redirects to: app_url?SESSID=$apps_session_id
Scenario 2:
User goes directly to some page within external application.
Application determines that user is not logged in, and redirects the user to moodle's login page.
User logs into moodle, and consequently, steps from Scenario 1 take place.
I also have a provision for jumping back to the calling application when this happens, but this is part of the application's module.
Scenario 3:
User logs out of moodle, moodle should log user out of application so that directly typing the url of the application should again force a login.
Hope it's clear now. Unfortunately our system is not available on a public website, so I cannot point you to it.
Basically, I've had to call my login code in login/index.php and logout code in login/logout.php. It might make sense to call the module_login/module_logout functions for all modules if they exist - that way, other session based external applications can work to.
If all that was required was a login, then the resource module would work just fine.
Thanks,
Philip
PS: I do use the code you posted in my callback from the application.
I still think the best way to do this is the way I mentioned before - no need to alter Moodle at all. Your external apps can still create their own sessions, variables, cookies etc AFTER Moodle's require_login().
1. If someone logs into Moodle first, then the require_login() will pass and your application can take it from there, with full access to $USER as a global variable.
2. If someone goes to the external application directly, they'll be redirected to the Moodle login page first then flung back to the external application after a sucessful login. At that point things continue as for (1).
I can't see any need to pass sessions around etc.
1. If someone logs into Moodle first, then the require_login() will pass and your application can take it from there, with full access to $USER as a global variable.
2. If someone goes to the external application directly, they'll be redirected to the Moodle login page first then flung back to the external application after a sucessful login. At that point things continue as for (1).
I can't see any need to pass sessions around etc.
I am doing more or less what you outline above for a number of small programs that integrate with moodle, and use moodle for authentication (as well as reusing moodle libraries). A small example can be found in the contrib area in cvs:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/moodle/moodle/contrib/crown_college/makeclass/
However, if I were to integrate another large application with Moodle, this is not the approach I would take. The chances of a conflict with a global variable or function name are too high when including a bunch of Moodle code with an application that wasn't written to integrate with Moodle. There is also the performance hit from including and initializing Moodle.
Instead, I would use Moodle's program resource, or a customized version thereof.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/moodle/moodle/contrib/crown_college/makeclass/
However, if I were to integrate another large application with Moodle, this is not the approach I would take. The chances of a conflict with a global variable or function name are too high when including a bunch of Moodle code with an application that wasn't written to integrate with Moodle. There is also the performance hit from including and initializing Moodle.
Instead, I would use Moodle's program resource, or a customized version thereof.
Well, I can't call moodle from within my program because it isn't written in php and it doesn't have to be on the same machine.
The program resource cannot be used for two reasons. It passes a md5 hash of the password that my program then needs to check against its own password table. This requires that I store passwords as cleartext which I won't do. (Note: storing the hash itself is no more secure than storing the password cleartext since any attacker only requires the hash, not the password).
Secondly, the program resource is fine for programs that need to authenticate everytime they are invoked. We have a session bases system where you login once and logout when you're done.
As of now, I still need to figure out how to get the logout done automatically without editing login/logout.php
The program resource cannot be used for two reasons. It passes a md5 hash of the password that my program then needs to check against its own password table. This requires that I store passwords as cleartext which I won't do. (Note: storing the hash itself is no more secure than storing the password cleartext since any attacker only requires the hash, not the password).
Secondly, the program resource is fine for programs that need to authenticate everytime they are invoked. We have a session bases system where you login once and logout when you're done.
As of now, I still need to figure out how to get the logout done automatically without editing login/logout.php
Ok, I can make this work for the login part. My program is called vasistha, so will refer to it as that. If a vasistha session doesn't already exist, the view.php code for the module will call vasistha_login which creates the session in vasistha and then redirects the browser to vasistha.
If someone comes into vasistha first, he is redirected to mod/vasistha/auth.php which looks something like this:
The only thing left now is the logout. When the user logs out of moodle, it should automatically logout of vasistha.
The other option would be to check if moodle's session is alive on every single request to vasistha. This would be a bad idea since the two may not be on the same machine, and communicate over http.
Philip
If someone comes into vasistha first, he is redirected to mod/vasistha/auth.php which looks something like this:
require_once("../../config.php");
require_once("lib.php");
require_variable($CGISESSID);
$SESSION->vasistha_session = $CGISESSID;
require_login();
vasistha_login(...);
redirect(...); The only thing left now is the logout. When the user logs out of moodle, it should automatically logout of vasistha.
The other option would be to check if moodle's session is alive on every single request to vasistha. This would be a bad idea since the two may not be on the same machine, and communicate over http.
Philip
I took this advice... and the results have been highly successful.
If the "course tools" mentioned are external to Moodle, then one could not easily require Moodle entities in the code.
Wouldn't it work, however, to embed code into Moodle's login module that writes a specific cookie that could then be checked by each of your own course tools? The cookie could have a very short lifespan, and/or code in Moodle's logout routine could delete it, although this would not work the the user simply shuts the browser window, which is often the case.
Wouldn't it work, however, to embed code into Moodle's login module that writes a specific cookie that could then be checked by each of your own course tools? The cookie could have a very short lifespan, and/or code in Moodle's logout routine could delete it, although this would not work the the user simply shuts the browser window, which is often the case.
Yeah, this is more or less what I do, was just wondering if it would make sense to include hooks into moodle so that I didn't have to modify the moodle code. As of now, I have to maintain a diff of my code v/s moodle's original, and patch it everytime we upgrade. Hasn't been too hard so far.
Shutting down the browser is not much of an issue because we have the sessions timeout in 1 hour anyway - both for moodle and the other applications.
We had to change the cookie to a query_string variable since the tools may exist on a different server.
I hope to be able to show these things off sometime ;)
Shutting down the browser is not much of an issue because we have the sessions timeout in 1 hour anyway - both for moodle and the other applications.
We had to change the cookie to a query_string variable since the tools may exist on a different server.
I hope to be able to show these things off sometime ;)