[Rt-devel] Passing an authenticated user to RT

Mike Peachey mike.peachey at jennic.com
Mon Feb 11 06:54:32 EST 2008

Jesse Vincent wrote:
> On Feb 11, 2008, at 5:18 AM, Mike Peachey wrote:
>> he user.
>> So far, I haven't discovered how I should do this. Apache authentication
>> and directly applying WebExternalAuth is not a valid option because
>> Apache would still be prompting for credentials as the website does not
>> use apache authentication, it's custom PHP authentication.
>> Also, the website uses session-cookies to store authentication? Could RT
>> read these somehow, or could we combine the RT cookies with the website
>> cookies?
>  Can RT get at the php app's cookies? What would the RT need to do to 
> validate the user's info from the php side?

I don't see why not. RT is accessed by the same domain (domain/rt) and 
then loaded into a frame.

As for what it would need to do, I'm not sure.. there are a number of 
possible ways to do it, but none seem sensible or secure or fast.

The website cookie currently stores a hashed loginID and a SessionID, 
but it could be coded to put more in the cookie.

> I've previously cooked up something for a client that:
>     * used client-side JS to turn a link from another system into an 
> HTTP POST to RT with the other system's cookie   
>     * used LWP and the cookie to do an HTTP GET against the other app.
>     * validated the credentials and wrote out an RT session

Because the website is ours to mangle (well, it's externally developed, 
but they do what we tell them to) we *should* be able to do it all 

For example, we *could* try and get the website super-frame to do a 
_POST to RT on load, but whether or not that would work or persist 
through in-frame page changes I don't know.

Alternatively, we might be able to get the PHP code to set an apache ENV 
variable that RT could read, just like WebExternalAuth does (but obv not 
a php variable because of RT running out of Perl - unless I write some 
php for RT to execute?), but again I'm not sure how I'd pick that up in 
RT, or how persistent the setting would be. AFAIK apache ENV variables 
die at the end of the request.

I'm just really not sure where to go with this as there are so many 
possible options, none of which are clear-cut on how to do them.
Kind Regards,


Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England

More information about the Rt-devel mailing list