PHP SSO check session

Question

I am currently trying to create a Single Sign On page where once the user sign in using either Facebook or Google+ the user will be redirected to the provider page and then once login succeed it will redirect back to the index.php site. Now the problem is I want to know are there any ways to check whether the user has login. Example once the user logs in the login button should change to Logout. Can I know how to that. Thanks in advance.

<nav id="menu"> <!-- Navigation -->
    <ul id="tabs"> <!-- unordered list -->
        <li><a href="index.html">Home</a></li>
        <li><a href="about.html">About</a></li>
        <li><a href="contact.html">Contact Us</a></li>
        <li><a href="login.php">Login</a></li>
        <ul class="nav navbar-nav navbar-right" >
            <li style="float:right;list-style-type:none;">
                <a class="janrainEngage" href="#">
                    <img src="<?php echo $_GET['photo']; ?> " height="30" width="30"/>
                    <?php echo $_GET['name'];?>
                </a>
            </li>
        </ul>
    </ul>
</nav>

This is my login.php code:

<?php
// Below is a very simple and verbose PHP script that implements the Engage
// token URL processing and some popular Pro/Enterprise examples. The code below
// assumes you have the CURL HTTP fetching library with SSL.
require('helpers.php');

ob_start();

// PATH_TO_API_KEY_FILE should contain a path to a plain text file containing
// only your API key. This file should exist in a path that can be read by your
// web server, but not publicly accessible to the Internet.
$janrain_api_key = trim(file_get_contents('apiKey.txt'));

// Set this to true if your application is Pro or Enterprise.
$social_login_pro = false;

// Step 1: Extract token POST parameter
$token = $_POST['token'];

if ($token) {
    // Step 2: Use the token to make the auth_info API call.
    $post_data = array(
        'token' => $token,
        'apiKey' => $janrain_api_key,
        'format' => 'json'
    );

    if ($social_login_pro) {
        $post_data['extended'] = 'true';
    }

    $curl = curl_init();
    $url = 'https://rpxnow.com/api/v2/auth_info';
    $result = curl_helper_post($curl, $url, $post_data);
    if ($result == false) {
        curl_helper_error($curl, $url, $post_data);
        die();
    }
    curl_close($curl);

    // Step 3: Parse the JSON auth_info response
    $auth_info = json_decode($result, true);

    if ($auth_info['stat'] == 'ok') {
        echo "\n auth_info:";
        echo "\n"; var_dump($auth_info);

        // Pro and Enterprise API examples
        if ($social_login_pro) {
            include('social_login_pro_examples.php');
        }

        // Step 4: Your code goes here! Use the identifier in
        // $auth_info['profile']['identifier'] as the unique key to sign the
        // user into your system.
        //echo '<pre>'.print_r($auth_info).'</pre>';
        $name = $auth_info['profile']['displayName'];
        $address = $auth_info['profile']['address']['formatted'];
        $photo = $auth_info['profile']['photo'];
        $redirect = "http://localhost:8012/cm0655-assignment/index.php?photo=".$photo;
        header('Location: '.$redirect);
    } else {
        // Handle the auth_info error.
        output('An error occurred', $auth_info);
        output('result', $result);
    }
} else {
    echo 'No authentication token.';
}
$debug_out = ob_get_contents();
ob_end_clean();
?>
<html>
    <head>
        <title>Janrain Token URL Example</title>
    </head>
    <body>
        <pre><?php echo $debug_out; ?></pre>
    </body>
</html>

Answer 1

In your example above it appears you are having the client-side Janrain Social Login (Engage) Widget post the authentication token to your server running the PHP page. In this scenario, the token retrieved by the client-side widget is submitted to your PHP page where the PHP page makes a server-side curl call to the Janrain Social Login "auth_info" API end point. This call validates that the token is valid and returns the user's normalized social profile data to your server side page.

In this scenario, your server-side page would parse the result and if it is valid the server-side page would set a "flag" to indicate that the user has successfully logged in. There are many ways you can store the authentication state:

• The most secure is some form of server-side session variable that your server-side code always validates against.
• Write some code back as part of the result that sets a cookie or localStorage value to indicate that the user has authenticated.

Ultimately, how you manage the authenticated state is an implementation detail that is up to you. The Janrain Social Login (Engage) widget simply facilitates and normalizes the social login process and allows you as the developer to not have to implement all the different API's for multiple social login providers. The Janrain Social Login widget does not maintain authentication state.

To specifically, answer your question regarding the login/logout button - you would have a client-side Javascript that detected the setting of a cookie and toggled the text/css on the button or you could have your server-side page inject the necessary client-side Javascript code onto the page. A more robust option would probably use AJAX type calls to post the token and receive the result and subsequently update the button state.