I'm using the latest jforum from csv and am implementing sso with cookies. I've written a class that implements SSO and can successfully have my app's login page set a cookie and have jforum use that cookie to create its user. The problem I am running into is if a user goes to my jforum without logging into my app first jforum automatically logs them in as Anonymous. I expected jforum to use the sso.redirect property in my jforum-custom.conf to redirect the user to my app's login page.
I am trying to make it so that jforum only allows users with the cookie set and redirects them to my login page if it is not. That way there are never any anonymous users. Is this possible?
Chris [originally posted on jforum.net by cdollar]
I created a new group called "Deny all" and added the anonymous user to it. Now, if someone who has not logged on tries to view the forum, he just sees the header of the forum but no topics etc.
I'm using 2.1.7-b3.
Hope that helps. [originally posted on jforum.net by TheSmile]
I used some URL SSO. Adding a timestamp and encoding the username, timestamp and some other parameters that are bypassed.
On the forum those parameters are encoded again to match the cipher. If it's validated, you can analyse the timestamp if like.. more than 5 minutes have passed.
If too much time has passed or if the cipher is invalid for the parameters (or missing), the user will be redirected to a page telling him he was supposed to log in via the given page... and providing a link for the user.
That pretty much limits them a bit [originally posted on jforum.net by Sid]