I'm running two different sites on two different servers with two different domain names. One website is running Joomla, another Moodle. I've set up the Moodle server to base its authentication around the customers table around the Joomla site, therefore we come with an authoritative supply of user information.
What Let me do is: after someone signs to the Joomla site, give a connect to the Moodle site that will quietly log them in, type of faking just one-sign-on solution. The passwords in Joomla are MD5'd with each having its very own secret salt.
The very first thought at how you can tackle sony playstation tell Moodle the passwords were being saved in plain text, then using a hidden form input, send the encoded password once they follow the link. Besides the apparent security difficulties with that, additionally, it resulted in whenever they attempt to sign in through the Moodle interface, they'd have to enter a huge MD5 string, since that is what Moodle thinks their password is.
I have been thinking about altering the authentication module in Moodle to ensure that when the posted password matches certain criteria (eg: it's 32 hex figures), then don't MD5 it before evaluating towards the Joomla version - the issue with that's that anybody could (upon finding the encoded password) then use that to sign in. Things I require is some kind of special method to send the encoded password from Joomla to Moodle and also to signal to Moodle to deal with that login request in a different way.
That you can do the next for any Secure single-sign-one solution :
- Produce a random (with PRNG) token based for Joomla user (store this )
- Send this token internally (using a web service etc., -ensure that it stays over HTTPS-, or local databases) to Moodle
- While delivering this token you also should inform Moodle concerning the userid which token is fit in with (therefore send token + userid)
- Store this token + userid within the Moodle
- Produce a link to this token in Joomla with this particular token (you should use querystring the moment you expire the token after first usage but Publish is really a better idea)
- If you notice this token in Moodle, log the connected user in and expire the token (so it will be safe against responding attacks etc.)
If you are using Joomla! 1.5, remember user plug ins. Have a look at plug ins/user/example.php. You are able to capture the password throughout the onLoginUser event which will let you bridge the systems.
Would you use Professional Moodle (http://world wide web.promoodle.com/) or JFusion (http://world wide web.jfusion.org/) each of which proport to produce a single sign up system for Joomla / Moodle system.
There's additionally a guide situated here: http://myjoomlaextensions.com/images/fbfiles/files/MoodleBridge.pdf to "bridge between Moodle and Joomla.
There's helpful tips for modifying the Moodle code to produce a single sign up system here: http://moodle.org/mod/forum/discuss.php?d=45126#211486 (use with caution!).
Your milage can vary attempting to begin using these solutions across different domain names.