infocard for Wordpress (pre-release)

pursuant to my prior post on Kim's php code release, I predicted that the php code would be no magic. The real "magic" is in the browsers capability of invoking the "identity Selector" and passing data packets back and forth between the infocard enabled website using the OBJECT tag and the "Identity Selector". More on the browser side later. This post is about what Kim's php code "may" look like.

Please Read Update 2 at the bottom of this post

First and foremost, infocard requires SSL. So What Kim may have done on the serverside is force SSL usage on his admin pages. This "probably" is accomplished by seting up Rewrite Rules on the "insecure" host.

In the .htaccess or virtual host stanza in httpd.conf www.identityblog.com, Kim may have the rewrite rule to automatically go to the secure host when you browse to http://www.identityblog.com/wp-admin/. It's pretty evident because it does just that.

RewriteRule ^wp-admin/(.*) https://www.identityblog.com/wp-admin/$1 [C]

If Kim is using permalink rewrite rules, this line would probably appear before RewriteRule ^.*$ - [S=40]

I also noticed that Kim does not restrict access to the "public" www.identityblog.com over SSL. But if he chooses, he could restrict access to the secure site only to administrators, and force the public site to be served over non SSL.

Well, his httpd.conf file may look something like the following:

It is probably a good idea to utilize SSL for user logins and registrations apart from administration. I hope Kim consider's the following substitute RewriteRules. He currently does not do that.

Insecure
RewriteRule ^wp-(admin|login|register)(.*) https://www.identityblog.com/wp-$1$2 [C]
Secure
RewriteRule !^/wp-(admin|login|register)(.*) - [C]

Now as far as the php code goes: Here's what I believe has been done.

  • He's enabled External Auth. (ie: not MYSQL, but infocard auth)
  • Modified the following Files:
    1. infocard/* : Contains all the infocard functionality
    2. wp-login.php : Contains the infocard authentication code and modified cookie content
    3. wp-admin/auth.php : This is modified to take account of the infocard cookie marker
    4. wp-config.php : Contains some infocard definitions
  • wp-includes/functions.php:wp_login() : modified to do infocard authentication and check for the infocard marker in the cookie
  • wp-includes/functions.php:wp_setcookie() : modified to set the infocard marker instead of the password in the cookie

NOTE: The directory /infocard is not really called infocard. I have no idea what the directory name is. I assume that it's infocard. I cannot crosscheck it because He probably has a .htaccess file there that does not allow directory listing. So for all you know the directory may be called "unknowndirectory".

The file wp-config.php probably contains an "infocard" switch define(’INFOCARD_ENABLED’, true);. Setting INFOCARD_ENABLED to TRUE turns on "infocard" authentication. Setting it to FALSE turns it off and normal WordPress authentication takes over.

NOTE : I'm trying this on my own test box and not directly on www.identityblog.com. And since I have my own private network, and am doing this on my own boxes (offline). I edited the file contents to "identityblog" to relate to what kim's doing on his site.

Thats all for now. I gotto run, My daughter (my everything) just had a fall and is bleeding... I'll follow up on this later...

I shall post PHP code itself shortly. Please note: I am not stealing Kim's code; nor have I obtained it from him in any form so far. I am doing something similar to what Kim "may" have done. and am posting that code here.

Since the code's distributed across several files and directories I shall post a link to a tar file download and installation instructions. If you would like to "infocard" enable YOUR "wordpress" installation you could just follow the instructions in the tar file and use it.

Also Note that This is not generic php. It's specific to wordpress.

The reason i'm doing this, is because the market coverage for this php code is so so much that it suprises me that folks do not realize that php aint magic. The code release I would like to really see is the "browser" bit.

releasing php code for wordpress does not make infocard opensource.

UPDATE: I'd be very curious to find out how closely my code would resemble Kim's actual code. Kim: If youre reading this could you give me an indication if i'm going down the wrong path ?


UPDATE 2: I tested this approach over and over... The php code DOES HAVE "some" magic in it. It needs to understand the MetaData and obtain the xml token that the "Identity Selector" sends across... more investigations underway... Will keep you posted..SORRY Kim, Sorry for saying there's no magic ;-)

Posted on: Mar 18, 2006

Posted by: Rohan Pinto

Category:

Tags: none

Permanent link to this entry

Comments:

Post a Comment:
Comments are closed for this entry.

This blog copyright 2009 by Rohan Pinto