I want to use Multipass to implement SSO between two PHP websites. I have found a function to generate multipass at following link:
https://github.com/rps-repo/Redmine-PHP-MultiPass/blob/master/multipass.php
I have used the following function to generate multipass:
function gen_multipass($data, $site_key, $api_key)
{
$salted = $api_key . $site_key;
$hash = hash('sha1', $salted, true);
$saltedHash = substr($hash, 0, 16);
$iv = "OpenSSL for Ruby";
// double XOR first block
for ($i = 0; $i < 16; $i++)
{
$data[$i] = $data[$i] ^ $iv[$i];
}
$pad = 16 - (strlen($data) % 16);
$data = $data . str_repeat(chr($pad), $pad);
$cipher = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', 'cbc', '');
mcrypt_generic_init($cipher, $saltedHash, $iv);
$encryptedData = mcrypt_generic($cipher, $data);
mcrypt_generic_deinit($cipher);
return urlencode(base64_encode($encryptedData));
}
I am redirecting the user to following url:
http://mywebsite.com/?sso=' . $multipass;
Where $multipass = gen_multipass($data, $site_key, $api_key);
At http://mywebsite.com/ I have fetched the querystring value, i.e. $_GET['sso']. Now how should I get the original data from this encoded multipass string?
OR
Is there any better way to implement SSO between two PHP websites?