[tuberb]

I am trying to integrate phplist into my client's site so that admins who have already logged in to their admin area (via a custom database-validated login) won't have to log in a second time to phplist. I would like to set things up so that my enclosing script does whatever setup is needed so that phplist considers the user logged in as an admin, without changing the code of the phplist modules themselves, so I don't have issues with new releases.

I have tried setting $_SESSION["adminloggedin"] and $_SESSION["logindetails"] variables in my script (where I am running phplist in an iframe) prior to invoking phplist but am still prompted to log in. I have also tried pointing to an alternate config file which has $require_login set off, but can't seem to make the alternate config file active.

My current fallback is to leave $require_login off, but am concerned about the security implications. I'd be very appreciative of suggestions on how to get there from here.

Thanks,

Barry

[Mike_R]

If there's no admin logged in, the file /admin/index.php looks for $_REQUEST["login"] and $_REQUEST["password"] via the below line. If they're found then it will process the PHP List login, rather than displaying the login page.

Code: Select all

 if ((!isset($_SESSION["adminloggedin"]) || !$_SESSION["adminloggedin"]) && isset($_REQUEST["login"]) && isset($_REQUEST["password"]))


$_REQUEST is a super-global, containing $_POST, $_GET and $_ENV vars, so you can even login using the GET method. For proof of this, visit

http://demo.phplist.com/lists/admin/index.php?login=admin&password=phplist

Which logs you straight into the admin section of the demo site. Hope this helps, otherwise you may need to start looking at a custom authorisation script (if you can't retrieve the correct password from your other app).

PS "index.php" in the above URL is optional, it works just as well with "/admin/?login...."