🌍
English
Hello/Hi/Greetings,
I'd like to insert some PHP code in the beginning of every site that is shown.
In more detail: I want to include a session PHP file that checks if the user is logged in, not using the piwigo authentication. As this session check might send headers itself, it has to be included before any output gets sent to the browser.
How can I do it? Should I edit any file or is there even a plugin for it?
Best regards
dummer-esel
Piwigo version: latest stable
PHP version: 7.3
MySQL version: can look it up if necessary
Piwigo URL: only with authentication ;-)
Last edited by dummer-esel (2020-04-30 00:18:26)
Offline
Sorry for posting too fast... I think I figured it out on my own:
I created a file: (piwigo)/local/config/config.inc.php
there I included my code and it seems to work fine! :-)
I hope it won't get overwritten with the next update...
Hmm... looks like my test case didn't cover everything:
Warning: session_set_save_handler(): Cannot change save handler when session is active in (path)/include/functions_session.inc.php on line 24
...looks like piwigo doesn't like it when I open a session before?
Has anyone experience with this?
How can I start my session (to authenticate my user) and still run piwigo "afterwards"?
Last edited by dummer-esel (2020-04-30 00:11:38)
Offline
Can you explain what you try to do instead of ask for the way to hook into piwigo ? I don't want a technical explanation but functional.
Offline
Sure:
I programmed a restricted user area where you can see some internal content (and authorize via a PHP session).
Inside this area I have a personal blog as well as other stuff, and my photo gallery.
I want to avoid that someone just opens the internal content using a direct URL without having logged in directly.
This works well with the blog (wordpress - I just added a <? include('session.php'); ?> in front of every site output just to check if user is logged in and otherwise redirect to the login page).
I wanted to do the same with pwg but there seems to be an issue with sessions?
Offline
dummer-esel wrote:
Sure:
I programmed a restricted user area where you can see some internal content (and authorize via a PHP session).
Inside this area I have a personal blog as well as other stuff, and my photo gallery.
I want to avoid that someone just opens the internal content using a direct URL without having logged in directly.
This works well with the blog (wordpress - I just added a <? include('session.php'); ?> in front of every site output just to check if user is logged in and otherwise redirect to the login page).
I wanted to do the same with pwg but there seems to be an issue with sessions?
There's several options to try to solve your problem :
- share session table between your restricted are and piwigo
- use piwigo API to display images in your restricted area
You can look at wordpress extension that allow you to display photos managed by piwigo in a wordpress blog.
Last edited by nicolas (2020-04-30 11:47:39)
Offline
Hi, thanks for your ideas!
I thought it would not be a problem... as far as I see the pwg session has the ID "pwg_id" and my session has no specific name "PHPSESSID" as I just create it with start_session();
nicolas wrote:
There's several options to try to solve your problem :
- share session table between your restricted are and piwigo
- use piwigo API to display images in your restricted area
How can I share session tables? Should I give it a name (or the same name?)?
In the API doc I see three functions with pwg.session.* but I guess it's related to log in to pwg and not general (PHP) session handling, even if you watch photos as "Guest"?
You can look at wordpress extension that allow you to display photos managed by piwigo in a wordpress blog.
Thanks, however I'd like to keep thinks separated. I already have thousands of photos in my pwg. :-)
Offline
What you try to do is like a single sign on (SSO) system between you're restricted area, wordpress and piwigo (and perhaps others applications).
I don't know wordpress very well and of course I don't see your restricted area code, but you must share something. Piwigo offers a mecanism to easily share users between two applications : see authenication stanza in include/config_default.inc.php file.
As I said you can also share the session if the cookie name is the same and of course if the domain is the same. But you must access the session data between the different applications. I don't know for wordpress but in Piwigo data session are saved in database by default (it can be changed).
Don't hesitate if something is not clear enough. I can give you more informations or piece of code.
Offline
Thanks nicolas,
this sounds all so complicated to me.
Actually, in wordpress i have no registration activated, so it has no session at all and my pwg is "open", so everyone can see photos as Guest (no registration/login to pwg).
Before, I had just a .htaccess authentication which worked (functionally) well, because I could set it for the overlying folder and it was like a "SSO" for all the content. However, with htaccess it's not possible to "log out" and the usability is quite bad (ugly popup window for credentials, no good error handling...), this is why I programmed a simple PHP session log in. Works with a simple include in WP but not in PWG.
nicolas wrote:
Piwigo offers a mecanism to easily share users between two applications : see authenication stanza in include/config_default.inc.php file.
Actually, I don't need to authorize the users in pwg because everyone should see photos as "Guests" (as long as they have logged in to "my" session before).
As I said you can also share the session if the cookie name is the same and of course if the domain is the same. But you must access the session data between the different applications.
So I could just name my session like the piwigo session "pwg_id" and then it should work? Is there any list of session variables that pwg uses so that I don't accidentally overwrite those?
Offline
dummer-esel wrote:
Thanks nicolas,
this sounds all so complicated to me.
Actually, in wordpress i have no registration activated, so it has no session at all and my pwg is "open", so everyone can see photos as Guest (no registration/login to pwg).
Before, I had just a .htaccess authentication which worked (functionally) well, because I could set it for the overlying folder and it was like a "SSO" for all the content. However, with htaccess it's not possible to "log out" and the usability is quite bad (ugly popup window for credentials, no good error handling...),
You can of course logout from a basic auth session sending a 401 http code with the same realm as for authentication. But I agree, it's quite ugly and of course not really secure as login and password are in all http request.
dummer-esel wrote:
this is why I programmed a simple PHP session log in. Works with a simple include in WP but not in PWG.
nicolas wrote:
Piwigo offers a mecanism to easily share users between two applications : see authenication stanza in include/config_default.inc.php file.
Actually, I don't need to authorize the users in pwg because everyone should see photos as "Guests" (as long as they have logged in to "my" session before).
As I said you can also share the session if the cookie name is the same and of course if the domain is the same. But you must access the session data between the different applications.
So I could just name my session like the piwigo session "pwg_id" and then it should work? Is there any list of session variables that pwg uses so that I don't accidentally overwrite those?
I think there's something I do not understand. You create a restricted area using php session to protect your wordpress blog and a piwigo gallery. And your blog and your photo gallery are accessible as guest without special authorization. How do you prevent a visitor to directly access your blog or your photo gallery ?
Offline
nicolas wrote:
I think there's something I do not understand. You create a restricted area using php session to protect your wordpress blog and a piwigo gallery. And your blog and your photo gallery are accessible as guest without special authorization. How do you prevent a visitor to directly access your blog or your photo gallery ?
Exactly: until now it was htaccess auth > "public" pwg/wp as guest
now it's php session auth > "public" pwg/wp as guest
that's why I want to restrict the pages by including a session.php file.
Do you know what I mean?
edit:
it was like this:
domain.com/restricted_area/piwigo and
domain.com/restricted_area/wordpress and
domain.com/restricted_area/othercontent
so I just had an auth with htaccess for domain.com/restricted_area/
now with sessions, the sub folders are obviously not protected against a direct url call.
so I added domain.com/restricted_area/session.php which checks if the user is logged in and if not, redirects to the login page.
Now I need any page which is delivered to be checked if the user is logged in.
For WP, I just included domain.com/restricted_area/session.php in a header include which does its job. For PWG I tried to do the same but have issues with the sessions (although the sessions have different IDs/names).
Last edited by dummer-esel (2020-04-30 13:29:58)
Offline
dummer-esel wrote:
nicolas wrote:
I think there's something I do not understand. You create a restricted area using php session to protect your wordpress blog and a piwigo gallery. And your blog and your photo gallery are accessible as guest without special authorization. How do you prevent a visitor to directly access your blog or your photo gallery ?
Exactly: until now it was htaccess auth > "public" pwg/wp as guest
now it's php session auth > "public" pwg/wp as guest
that's why I want to restrict the pages by including a session.php file.
Do you know what I mean?
Ok. I think I understand now. You add an include "session.php" in the main wordpress file. And you want to do the same with Piwigo.
What I proposed you to fit your needs is to create a special user in Piwigo and revert guest access in piwigo. You will use that user to give access to your restricted area and nothing more to do with piwigo. This way you have in Piwigo a way to give personnal access to your restricted area. To simplify managment, put all this users in the same group and give that group access to the albums you want.
To manage your restricted area, you can copy identification.php script from piwigo and adapt it a little (change link to include/common and such things) and probably use a specific template. In your previous session.php file included in wordpress, do not create the session, just check that the session exist and the user in it exists
Offline