PHP ODP::Passport details

This is the post I wrote to the ODP forums about the PHP ODP::Passport script:

If there are any tool authors using PHP who want to use ODP::Passport with their tools, I wrote a script that lets you do this pretty easily. The source is here: http://pgl.yoyo.org/odp/passport/login.phps ("highlighted" source) http://pgl.yoyo.org/odp/passport/login.php.txt (plain text) (PHP's source-highlighted version included just in case anyone is colour blind and / or la la.) It acts as a central login handler for all your tools (although it doesn't have to), so should be set as the default tool when your account is set up on http://passport.rpfuller.org/ . When that's set up, all you have to do is change two values at the top of the file (for your tool collection name and shared secret for O::P), and include() it at the top of any PHP script that you want to protected with ODP::Passport. eg: --> a tool-owner account is set up on http://passport.rpfuller.org/ with the default tool set to http://pgl.yoyo.org/odp/passport/login.php --> I copy the file, edit the two values that need changing, and make it available at http://pgl.yoyo.org/odp/passport/login.php --> I want to protect my new script (http://pgl.yoyo.org/odp/naked-editors.php) so add the following as the first line: include '/home/pgl/public_html/odp/passport/login.php'; --> that's it - now only ODP::Passport authenticated users will be able to leer over ODP's finest. It works by checking for cookies, not finding any, and redirecting to http://passport.rpfuller.org/ , which then (assuming the user logs in successfully) redirects them to the central login script, which finally redirects them back to the original tool again (but this time with valid cookies). The URL of the original tool is passed to p.r.org as pp_tool and returned as just tool, so it would be pretty easy to use an alternative script as the default tool - all it would have to do is redirect the user to whatever tool is set to. If you want pass a script variables via the query string and the user is redirected to log in first, the variables will be passed back after login with "pp_p_" prefixed to their name. So, if someone tried to go to http://pgl.yoyo.org/odp/naked-editors.php?gallery=frolics12 and wasn't logged in, they would eventually end up back at http://pgl.yoyo.org/odp/naked-editors.php?gallery=pp_p_frolics12 after the being authenticated. I will add some code to check through for pp_p_ vars and rename them, but I'm hoping a feature request will be implemented so that variables will be stripped before being passed back to the login script. Lastly, to log out just add "?odp_pp_logout=1" to the tool's URL (or "&odp_pp_logout=1" if a query string is set). This unsets O::P cookies on your server, then redirects to http://passport.rpfuller.org/logout.cgi for (I assume) further purging. One other feature request that would be useful would be: the ability to tell the login script on http://passport.rpfuller.org/ what URL the user is coming from, and have it redirect straight back there instead of bouncing off the default tool. It would make things really simple - to protect a PHP script with O::P, the only thing needed would be to include this script at the top of the tool's source. It would also mean one less redirect for the user, and remove the need for a default tool. ---- Moments later, I realised a mistake and replied to myself... ---- Oops, one mistake (that I noticed): the user won't actually end up at http://pgl.yoyo.org/odp/naked-editors.php?gallery=pp_p_frolics12 after logging in - the O::P server uses POST to send the information back. But, pretty much the same thing with PHP usually. ---- And only a short time after that I finally got it... ---- Wait! No! I'm getting confused! Gah. The POST request is sent to login.php, which should then redirect to the tool. But it didn't, because I'd left that bit for now, which meant that *no* variables got passed back to the script at all, which sucked. So I added a bit where all pp_p_ variables (as returned by passport.rpfuller.org) are renamed and added to the query string, then passed to the tool via GET. So data (well, GET data anyway) *is* returned correctly after logging in. Bonus. :) I'm going to bed.