I’m trying to provide direct links to protected site resources (from an email newsletter) with an automatic authentication step to avoid login. I’ve done this before, years ago, but none of the methods I used previously seem to work. I’m sending the links to a landing page (something like /authenticate?key=xxxxx&id=xx) where a script checks the key, parses the destination page from the ID and is supposed to grab a generic user account (already set up) and authenticate the user before forwarding them to the desired resource.
I have used both runprocessor security/login and user->addSessionContext. Using both methods I get a bool true on user->isAuthenticated, but any redirect or navigation or simply reloading the page returns the user state to anonymous and unauthenticated. I’m guessing there’s a cookie issue at work here, but I’ve no idea how to solve it.
The following returns true and outputs a valid response object but if I reload the page or try to visit any other page on the site the user is 0 and unauthenticated.
$account = array(
'login_context' => 'web',
'username' => 'username',
'password' => 'password',
'returnUrl' => "/",
'rememberme' => 0,
);
$response = $modx->runProcessor('security/login', $account);
if (!$response->response["success"]) {
// deal with the error
}else{
print_r($response->getResponse());
var_dump($modx->user->isAuthenticated('web'));
}
Using the following I also get true on user->isAuthenticated(‘web’) but again the authentication doesn’t persist.
$user = $modx->getObject('modUser', array('username' => 'username'));
$user->addSessionContext('web');
This is all on the same domain. Is there a right way to do this so the authentication persists? I’m guessing I need to do something specific with the PHP Session ID or a specific cookie? Really frustrating since this used to work and now it doesn’t.
Please help you MODX geniuses!
This is MODX 2.8.x and PHP 8.2