I would like to do an external FORM POST to MOODLE's login/signup.php page.
Moodle expects a SESSKEY to POST the form data.
What is the proper integration technique to create a SESSKEY??
In reply to Paul Caliban
Re: What is technique to POST a user FORM to Moodle FORM??
by Andrew Normore -
Take a look at say, /course/form_edit.php and look for the form definition.
Right at the top, you'll see hidden information that's passed. You could pass your session key in there!
The whole point of the sesskey paramater is to stop exactly what you are trying to do. It prevents someone creating a link from outside of Moodle that tricks Moodle into thinking the current user has requested a particular action (as the sesskey is only available in links / forms generated by Moodle itself).
It appears you are wanting to do some form of Single Sign On (SSO) into Moodle, from some other site. If that is the case, then the proper approach is to write an authentication plugin that will handle this, rather than trying to POST directly to the login form. This page should get you started: http://docs.moodle.org/dev/Authentication_plugins
In reply to Davo Smith
Re: What is technique to POST a user FORM to Moodle FORM??
by Dan Poltawski -
Just to back up what Davo is saying and mention some acronyms , the sesskey is protection from CSRF (Cross Site Request Forgery). See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Imagine a mischievous student who posts a forum post with an image url of yourmoodle.com/user/delete.php?id=3&confirm=1
Thanks for info. I will read the Plugin stuff
I actually am not trying to intentionally violate cross-domain rules and break Moodle's security.
That said, I would like to have a more attractive SIGNUP FORM actually located in the MOODLE root that can POST to the moodle SIGNUP PHP code. (not from outside moodle)
Like if the user just completed the moodle ugly signup form and submitted.
You may ask Why - cause the client requested to have a super simple signup FORM without all the Moodle Framing....wrapping.....
Short of reading the SIGNUP code seems that when a user arrives on the Moodle homepage and is NOT logged in yet, some how during the first access to the existing SIGNUP form the $user->sesskey is created so when they do submit the signup FORM the sesskey exists....
IF I cannot mimic the SIGNUP sesskey with some form of "generate sesskey()", then I would need to deal with $mform code to create the FORM I need. But, that would only get me 1/2 way, because the goal was a dirt simple form without the Moodle trappings. Form>> POST>>
Maybe what I need to do is get an example and study the details of generally writing apps for MOODLE or check on doing the FORM push/insert with a WEBservice?
In reply to Paul Caliban
Re: What is technique to POST a user FORM to Moodle FORM??
by Paul Caliban -
MAYBE ... I should be thinking/asking HOW does one create simple HTML forms and use with MOODLE??
I. Create code is Dreamweaver
2. Embed in MOODLE.....??? somehow
3. Use NEW form, which does POST to Signup.php Moodle program??
naturally with NO sesskey violations...
Ahh.. well it you're going to basically put this inside Moodle, then the easiest way would be:
- require_once('config.php'); (or '../config.php' if you are in a subfolder)
- $sesskey = sesskey();
After that, you are pretty much good to go. The only issue I can see is that the user will have to click a couple of submit buttons - the first to submit the form, the second to submit the login request (as, without javascript hacks, you can't POST to a page via a redirect).
You probably want to do a whole load of extra bits and bobs in the form processing to do the actual user creation, etc. But I'll leave you to take a look through the standard moodle authetication / login / user creation code to see how that is done...
Thanks..
<?php $sesskey = sesskey(); ?>
<input type="hidden" name="sesskey" value="<?php echo $sesskey ?>" />
And no DEVELOPERS were hurt during the testing!