Use Joomla Login Credentials Outside of Joomla

On several occasions I needed to interface with a Joomla installation from a satellite web application. In these scenarios, it is useful to integrate a login check that accesses the Joomla username and password data. While this integration is not terribly difficult, I spent a long time digging around forums before I located helpful information. In the interest of saving time for others, here is what I found.

First, the Joomla process for creating a new user goes like this:
1. Validate that username is unique.
2. Generate a random 32 character "salt" value.
3. Combine the password + salt, and encrypt the compounded value.
4. Store the encrypted result followed by the salt value used to generate it.

For example, when I create a new user with username 'joomla_user' and password 'joomla_password', Joomla does the following:
1. Make sure there is not an existing 'joomla_user' username value in jos_users.
2. Generate a random 32 character salt (ex: TUIG6Wyx2gPavlcPm73mdpN4uWjZ8dvv).
3. Combine password and salt, then encrypt the entire value:
$value = ( md5('joomla_password'.'TUIG6Wyx2gPavlcPm73mdpN4uWjZ8dvv');
4. Store encrypted value followed by original salt in database (separated by colon):
$value.':TUIG6Wyx2gPavlcPm73mdpN4uWjZ8dvv' is inserted.

In order to integrate your web application with the Joomla login, retrieve the appropriate values from the database, separate the salt and the encrypted password + salt combination, salt and encrypt the entered password value, and compare your result to the value in the database. Looks like this in PHP:

 
$dbhostname = 'localhost';
$dbusername = 'root';
$dbpassword = 'password';
$dbdatabase = 'joomla15';

// Get these from your form...
$username_for_check = 'admin';
$password_for_check = 'admin';

$joomla_user;
$joomla_pass;
$joomla_salt;

$mysqli = new mysqli($dbhostname,$dbusername,$dbpassword,$dbdatabase);

if ($result = $mysqli->query('SELECT j.username,j.password FROM joomla15.jos_users j WHERE j.username="'.$username_for_check.'" LIMIT 1;')) {
  
  if ($result->num_rows == 0){
      echo 'Username does not exist.';
  }else{
    while ($row = $result->fetch_object()) {
      $joomla_user = $row->username;
      
      $pass_array = explode(':',$row->password);
      $joomla_pass = $pass_array[0];
      $joomla_salt = $pass_array[1];
    }

    if($joomla_pass == md5($password_for_check.$joomla_salt)){
      echo 'Username and password combination validated.';
    }else{
      echo 'Invalid password for username.';
    }
  }
} else {
  echo 'LOGIN VALIDATION: MySQL Error - '.$mysqli->error;
}
 
$mysqli->close();

Comments

Use Joomla Login Credentials Outside of Joomla — 34 Comments

  1. Hii,
    I am new to Joomla.There are two applications.One is developed using joomla and other using php mvc.Lets call them application A and application B.
    The scenario is:

    When logged in A on clicking a menu item directs to B’s login page.

    I want to continue the session of site A into site B.
    Please help.

  2. This is really great, thanks! But I have some problems for joomla 3.x
    I am always getting same issue that Database OK!, username OK! but password is incorrect.
    Where am I wrong? please help me 🙁

    • I haven’t tested in 3.x, but I can say that if the password is incorrect it’s either that the password is wrong or the hashing mechanism is different. You can check things manually by echoing the hash value you get and comparing to the password entry in the joomla db. If those are different, it’s likely that the password is wrong or the hashing mechanism is different (either it’s not as simple as pass+salt, it’s not using md5, or both). I don’t think the default hash mechanism is md5 any longer in php core – that’s where i’d start searching.

      • Thanks for your help…I have tried echoing the hash value and realised that 3.x uses a different hashing system :/

  3. Hi, i want to do the same from my Ruby on Rails application. I was thinking to use post method form but i can’t figure it out. Can you give me any directions please?

    • This same technique will work in ROR, you just need to be sure that the encryption mechanism is the same (it’s explicitly md5 in the PHP snippet, you can achieve the same with ROR). I think you’ll encounter a few challenges trying to POST directly to the Login component from an external application, but I honestly haven’t attempted it.

      I’ll also say that if you are using a newer version of Joomla (3+), things are started to feel more API-like in the background. If that’s the case, you can likely integrate directly with a service via POST/GET. This may be the POST you’re referring to, and if you’re on a new enough Joomla, I think it’s a good idea – much better than directly accessing the database. I’ll try to put something together, but I’m not getting much time for Joomla work lately, and I am really not up on the latest releases.

      • Hi and thank you for your quick answer.

        Let me ask you one more question please. Is there any more simple way just to pass two string (username & password) from my RoR database (SQLite3) to the Joomla form and auto-submit it? Let tell you 2 things about my app. I have created a model where the user can create through a form projects. Through that form Joomla username and password i saved in my SQLite3 database. I tried by creating some forms with put or post methods but the only result i saw was to see the data passed to the url. Something like that:

        http://localhost/final_project/administrator/?utf8=?&admin=get&123456=get&button=

        I thought that if i can pass them to URL i am missing one detail to solve it.I have spent many many days searching about this.

        Sorry about my english.
        Thank you in advance

        • There’s not a simple way. Joomla doesn’t include any authentication API/Service. Because of this any external access to a URL is problematic, as Joomla doesn’t return the right objects (Joomla tries to simply redirect to a page and return the page contents, you would want something like a true/false or User/Session object).

          So you can hit the db directly (as described here), or you can add an extension to Joomla manually to create that API/Service for authentication. There’s good info on that effort http://stackoverflow.com/questions/2176595/joomla-login-authentication-from-external-app

          Good luck!

          • I am trying no to be bothersome but i am a very beginner in general. I have to do the same if i don’t want authentication? I mean if i just want the user of the app not to type his username and password on keyboard and just click an hyperlink button in my RoR app and let Joomla to do the authentication. Is this the same thing? I am thinking wrong?

            Thanks a lot mister!

          • I think your best bet will be the solutions on the stackoverflow page. IIRC, Joomla doesn’t have an authentication API, and it doesn’t support any formal session sharing. This means that if you want a session in Joomla, you’ll need authentication credentials and you’ll need login. If you want to move someone from an external app to Joomla, this gets pretty tricky. If you just want to use the Joomla creds to login externally, the solutions in this article and the SO post are excellent starting points.

          • I am trying no to be bothersome
            but i am a very beginner in general. I have to do the same if i don’t
            want authentication? I mean if i just want the user of the app not to
            type his username and password on keyboard and just click an hyperlink
            button in my RoR app and let Joomla to do the authentication. Is this
            the same thing? I am thinking wrong?

            Thank you very much!

  4. Awesome sir… You make my Day.
    Authenticatin my Android App with Joomla username & password.
    Before it, Im using JFusion and build my script for login ito WordPress.
    but now, I can directly login to Joomla.
    If anybody else want to know how to make login form in Android with Joomla Username and password auth.php I will share for free. Thank you sir…

  5. Hello everyone,

    I have a main website built in joomla 2.5 in which the person will login and after that he will be shown a hyperlink which will route him to an asp.net website. The way I’m achieving this Single Sign On is that when login to Joomla 2.5 website is successful, I generate a random value and store that value and username in Mysql table, encrypt the randomly generated value and send it as querystring to asp.net application. In an asp.net application, I will decrypt the querystring value and access Joomla 2.5 mysql table to verify the value. The PROBLEM is that Mysql for Joomla 2.5 is not allowing remote access to database. I have tried many things and went thru various forums but all in vain. Please, help me in this regard. Thanks

    • Joomla does not regulate database access, this is managed via firewalls and the MySQL server. Be sure that the server is allowing external access over the port on which MySQL is listening (defaults to 3306), as firewalls could be blocking this. Also validate that the mysql user who is trying to connect is granted access the database from the external ip (user@externalip or user@’%’).

      • Hi ImperialWicket. Thanks for your comment. I’m junior as far as MySQl development is concerned. Can you let me know how to make sure that mysql user is granted access to the database from external ip? Also, can you let me know how to check whether sql server is listening and allowing external access to port 3306. Thanks.

        • It depends on the server config. If your MySQL server is on shared hosting, they often do not allow external access. Some of them do, and you would validate it in Plesk, Cpanel, or some such admin interface.

          If you have root access to a dedicated server, you can check the output of something like ‘netstat -lntupe’ – if there’s a 3306 listener, it is likely MySQL. If the local address is listed as ‘127.0.0.1:3306, then MySQL is only listening to local requests (which would keep external access from working). Another check to validate the port is to find ‘my.cnf’ and look for the defined value of ‘port’. Note that these are Linux-specific instructions, if you’re on Windows or OSX, I can’t offer much help. Once you know what port MySQL is listening for, you can check firewall rules to see if external access is allowed.

          User-specific grants in MySQL are stored in the mysql.user table, you would just need to select the appropriate records for the user who you want to connect to the db. Access is granted to users inclusive of the ip from which they may access. If it isn’t the wildcard ‘%’, it only works if you request from the granted IP.

  6. Any good Joomla PHP programmers looking to make a little $ ?
    I need to get a Com converted from 1.5 to 2.5. It stores the user password upon login and allows me to use their username and password to login to another app.
    It is similar to this – but because we use A.D. this is the only module that seems to store the password for us in another table.
    The current component we use is WLXT http://code.joomla.org/gf/project/wrapper_login/wiki/?pagename=WlxtForJoomla – but the author is not maintaining it for 2.5

    • I think interfacing with the existent db table is probably much safer. You can pretty easily create a custom web service using code like what’s described here, and validate login with the data Joomla is already managing. The fact that WLXT ever had an option to store plain text passwords in a separate db table concerns me (from a security perspective).

    • This is still working for me, all the way to 1.7 and 2.5.  There are a couple areas where it can fail, I’d check the following:

      1.  The alternate PHP instance has access to the database (if it’s on another server, it may be a firewall or MySQL privilege issue.
      2.  I use the database name ‘joomla15’, which is probably not what your database is named, make sure the correct database name is in use.
      3.  I use the now legacy database table prefix ‘jos_’.  Joomla (for security purposes) now randomizes the prefix.  The table name still ends in ‘users’.

      All of these issues should result in a mysql error displaying.  If you see credential error messages, then it is an issue with inconsistent credentials.

      Hope this helps…

  7. Only one thing to say: gracias amigo
    Very valuable information, thanks A LOT

  8. I understand how the base of your form works, but how can I pass the joomla username/cleartext password you retrieve here to a url in an IFRAME? I’ve got an internal app that can receive username/password via URL POST, and I’d like to do it this way.

    • @UniJoe – Joomla does not store user passwords in plaintext, so there is no way to get a password out of the joomla database. Also, keep in mind that the passwords are hashed using PHP’s MD5 implementation, so you will want to use a PHP script to handle the password encryption to reduce the possibility for inconsistencies in MD5 encryption.

      If you have an application receiving a username and password via POST, the safest way to confirm that they are a valid Joomla user with the appropriate password is to create a database connection to your Joomla installation and run the check as described. You could export usernames, encoded passwords, and salts to a local file, and run the check using a local file – but this runs into consistency/concurrency issues and can turn into a mild security concern if you aren’t careful.

  9. i am lost
    i need to log to joomla from external site and this what i am looking for however i try and it no working for me i get “Username does not exist.” i change the $mysqli->query(‘SELECT j.username,j.password FROM joomla15.jos_users.
    Any help or sample to run on localhost
    much opritiasion for you script.
    Thanx

    • If you receive the “Username does not exist” error, then your MySQL connection is successful, and the query is not returning any results for the username that you specified.

      Try querying your database for “SELECT username FROM .users;” and making sure that the username being passed exists in the Joomla database.

  10. Thanks a bunch mate! I’m now using this script for my Joomla 1.6 installation.
    Everything works perfectly within my own code.

    I made 2 small changes:

    1. $mysqli->query(‘SELECT j.username,j.password FROM joomla15.jos_users
    changed the fixed “joomla15” to $dbdatabase that you declared earlier.

    2. added some security checks like (mysql_real_escape_string) to:
    $username_for_check = ‘admin’;
    $password_for_check = ‘admin’;
    before passing it straight into the query.

    Good to see that people are sharing more and more information!