Correct way to use runprocessor security/login with persisting session

I’m trying to provide direct links to protected site resources (from an email newsletter) with an automatic authentication step to avoid login. I’ve done this before, years ago, but none of the methods I used previously seem to work. I’m sending the links to a landing page (something like /authenticate?key=xxxxx&id=xx) where a script checks the key, parses the destination page from the ID and is supposed to grab a generic user account (already set up) and authenticate the user before forwarding them to the desired resource.

I have used both runprocessor security/login and user->addSessionContext. Using both methods I get a bool true on user->isAuthenticated, but any redirect or navigation or simply reloading the page returns the user state to anonymous and unauthenticated. I’m guessing there’s a cookie issue at work here, but I’ve no idea how to solve it.

The following returns true and outputs a valid response object but if I reload the page or try to visit any other page on the site the user is 0 and unauthenticated.

$account = array(
   'login_context' => 'web',
   'username'      => 'username',
   'password'      => 'password',
   'returnUrl'     => "/",
   'rememberme'    => 0,
);    
$response = $modx->runProcessor('security/login', $account);
if (!$response->response["success"]) {
   // deal with the error
}else{
   print_r($response->getResponse());
   var_dump($modx->user->isAuthenticated('web'));
}

Using the following I also get true on user->isAuthenticated(‘web’) but again the authentication doesn’t persist.

$user = $modx->getObject('modUser', array('username' => 'username')); 
$user->addSessionContext('web');

This is all on the same domain. Is there a right way to do this so the authentication persists? I’m guessing I need to do something specific with the PHP Session ID or a specific cookie? Really frustrating since this used to work and now it doesn’t.

Please help you MODX geniuses!

This is MODX 2.8.x and PHP 8.2

I don’t know what the issue is here. When I test it with the code you provided, all seems to work correctly.

The only thing is, that immediately after running the processor, the line var_dump($modx->user->isAuthenticated('web')); always returns false. But this should be correct after a redirect or on the next request.


The Login extra also uses the exact same processor to log users in.

So there is no reason why this method wouldn’t work.


Are you testing this properly? In a separate browser or a new private window, so that your current status (logged in as an admin in to the MODX manager) doesn’t interfere?

Yeah, I’m running it in a different browser where there is no authenticated session, and I’m purging cache constantly. However, the site runs behind Cloudflare and I’m wondering if that’s interfering. I’m clearing the Cloudflare cache and using a unique URL param on each page but still no joy, it’s really weird. Will try again late today/tomorrow and see if I can figure it out. Thanks for the input.

You might try throwing this in after adding the session context:

$modx->reloadContext('web');