You can find a Session control section on the Security screen. Click it to open a popup containing PHP session name and JWT (JSON Web Token) secret key options.
Session control
Sessions never expire
This is not a secure option. Only use it for internal apps in a trusted environment.
Sessions expire after ...
Normally sessions expire after an amount of time specified in web server settings (session timeout). The default timeout depends on the web server and usually in the range of 20-30 minutes. To avoid making global changes to web server settings you can specify session timeout for your project.
Warn user when his session is about to expire
When this option is enabled a nice popup window will be shown to the end user when their session is about to expire. This page look can be changed in the Page Designer, under Common pages -> session_expired.
This option allows you to enter any set of characters as a PHP session name.
If you have two PHP projects on the same server and you want them to share security settings (single sign-on), enter the same session name for both projects.
Note: we do not recommend using both shared PHP sessions and JWT tokens at the same time as the will be a conflict. JSON Web Tokens is a better option.
JSON Web Tokens are a secure, cryptographically protected way of exchanging data over the network.
In PHPRunner, JSON Web Tokens are encrypted with a secret key specific to your application. If you want the users to log in only once to access all your applications, make all your projects share the same secret key.
You can enter the same JWT secret key for all your projects on the Security screen -> Session keys dialog. This allows different projects to verify each other's tokens.
Lets say you have two projects that share the JWT key. In the first project, you can create a link to one of the second project pages (and vice versa). In the Menu Builder create a new item, choose to link to the External page and check off the checkbox saying 'Link to another application that shares the same JWT secret key'. This is it.
Visit https://jwt.io/ to learn more about JSON Web Tokens.
How PHPRunner uses JSON web tokens
Remember me box on the Login page
When a user logs in with Remember me box checked off, PHPRunner application creates a JSON web token with the username and stores it in the cookies at the user's browser.
When the user leaves the site and returns in a few days, the application receives that token, verifies that it created it itself and logs the user in without asking for username and password.
Single Sign-On across multiple applications (SSO)
JSON Web tokens are encrypted with a secret key specific to your application. If you want your users to login only once into all the applications, make all these projects use the same secret key. Specify the same JWT secret key for all your projects on the Security screen -> Session keys dialog. This will allow different projects verify tokens of each other.
The next step is to create links between the projects that send the tokens to each other. PHPRunner provides a special script for that, external.php i.e.
external.php?url=<URL of a page in another project>
When a logged in user clicks that link, the script creates a JSON Web token and redirects the user to another project attaching the token to the request. The other project receives the token, verifies and logs the user in seamlessly.
You can add such links to other projects to the menu in the Menu editor.
Create a Link to external page there and check off the "Link to another application that shares the same security settings" checkbox.
You can also create such links in the events code.
PHP:
$externalLink = "external.php?url=" . urlencode("http://www.othersite.com/path/menu.php");
// redirect the user to other project
header("Location: " . $externalLink );
Javascript:
var externalLink = "external.php?url=" + encodeURI("https://www.othersite.com/path/menu.php");
// open another project in the same window or tab
window.location.href = externalLink;
Important notice
In order for the token to be accepted, the link must lead to a PHP page. The following two examples will not work:
// Wrong, links must point to a PHP page
$externalLink = "external.php?url=" . urlencode("https://www.othersite.com/path/index.htm");
$externalLink = "external.php?url=" . urlencode("https://www.othersite.com/path/");
Security related articles:
•CAPTCHA on authentication pages
