Not a developer? Go to MovableType.com

Ask an Expert

Using PHP to check authentication

Asked by Henry Umanksy
Posted March 4, 2010, in Featured.

Hello, I’m trying to mix PHP code with MT tags in order to check if a user is authenticated. The purpose is to show and hide published pages according to who is logged in.

We are using Movable Type 4.34 with: Community Pack 1.65, Enterprise Pack 1.31, Professional Pack 1.31

Back

2 Answers

François Nonnenmacher

François Nonnenmacher on March 5, 2010, 4:39 a.m. Reply

Movable Type 4

Here is the code I use, it uses MT own session manager. First, define an “Authenticate” module template:

<?php
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, "<$mt:AdminCGIPath$><$mt:CommentScript$>?__mode=session_js&blog_id=<mt:BlogID>&jsonp=mtSetUserOrLogin");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_COOKIE, $_SERVER["HTTP_COOKIE"]);
  $json = curl_exec($ch) or die("Cannot connect to MT!");
  curl_close($ch);
  $json = substr($json, 17, strlen($json)-20);
  $session = json_decode($json, true);
  if ($session['is_authenticated'] == 0) {
    header("Location: <$mt:AdminCGIPath$><$mt:CommentScript$>?__mode=login&blog_id=<mt:BlogID>&return_url=".rawurlencode($_SERVER["REQUEST_URI"]));
  }
?>

And then, on the first line of any page I want to protect, this code:

<$mt:Include module="Authenticate"$>

In this example, if the user has no active session, s/he is redirected to the login page then back to the secured page. You can add other conditions, such as $session['can_post'] and other MT authorizations held in the session cookie.

Note this solution only works if the page and the comment script are on the same domain, because it’s cookie-based (and the MT cookie can be set to be valid for an entire domain). You can’t share a cookie between different domains.

Movable Type 5

Here’s a different one that is supposed to work with MT5.1+ (I haven’t tested it yet):

<?php
  $need_signin = false;
  $mt_commenter = $_COOKIE['mt_commenter'];
  if ( empty( $mt_commenter ) ) {
    $need_signin = true;
  } else {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "<$mt:AdminCGIPath$><$mt:CommentScript$>?__mode=verify_session&jsonp=nobody&blog_id=<mt:BlogID>&sid=$mt_commenter");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIE, $_SERVER["HTTP_COOKIE"]);
    $ret = curl_exec($ch) or die("Cannot connect to MT!");
    curl_close($ch);
  }
  if ( preg_match( "/nobody\((.*)\)/", $ret, $matches ) ) {
    $json = $matches[1];
    $json = json_decode($json, true);
    if ( !$json['verified'] )
      $need_signin = true;
  }

  if ( $need_signin ) {
    header("Location: <$mt:AdminCGIPath$><$mt:CommunityScript$>?__mode=login&blog_id=<mt:BlogID>&return_to=".rawurlencode("http://localhost" . $_SERVER["REQUEST_URI"]));
  }
?>

Replace http://localhost with your domain name.

Charlie Gorichanaz

Charlie Gorichanaz on October 26, 2013, 4:27 a.m. Reply

There is also an Endevver code sample (mt-php-MTUser) that is supposed to accomplish this goal with PHP more easily.

François Nonnenmacher

Founder of Ubiquitic, a web consultancy based in Noumea, New Caledonia. François has more than 10 years of experience with Movable Type (from the time it was just Mena and Benjamin Trott in a garage!) and has implemented it in small and big business sites, such as the blogs of the Capgemini Group, as well as the blogs of Le Figaro, the first online news site in France.

Website: http://ubiquitic.com/
Twitter: @François Nonnenmacher

Charlie Gorichanaz

Charlie joined Six Apart as a Japan based product manager for Movable Type in February 2014 after spending two years as a developer for 601am. Previously he was the web director of The Badger Herald while studying biochemistry at the University of Wisconsin-Madison.

Website: http://votecharlie.com/
Twitter: @CNG

Ask An Expert