The instructions in this page will help you to use CoSign functionality from a PHP webapp on a server that already has CoSign installed and configured.
If you simply want to use CoSign functionality for access control, the instructions on using CoSign may be all you need.
If you want to learn how to install and configure CoSign, you should read the instructions on installing CoSign.
CoSign is the Web Single Sign-On operated by ISS for use on central and departmental web servers and applications. Where possible, CoSign authenticates users (i.e. proves their identity) based on their existing credentials, so that no additional password prompts are necessary. Where this is not possible, either because there are no existing credentials, or because the browser is unable to pass them securely, the user will be prompted for his or her password just once per browser session, and the password will always be sent over a secure connection.
CoSign Web applications do not need to handle users' passwords; they are simply notified of the user's identity.
CoSign has been tested with a wide variety of browsers and operating systems, and is believed to operate correctly and securely in all circumstances.
At its simplest, using CoSign from a web app is very easy. Two server variables are passed through to indicate the identity of the user: REMOTE_REALM and REMOTE_USER:
For example, to see the identity of the current user, you can use the following code:
Sometimes in a webapp, you want to permit authenticated users to have one view of some information, and yet allow unauthenticated users to see a different view. For example, a content management application might allow anyone to view pages, and but restrict page editing to authenticated users.
Cosign allows authenticated and unauthenticated access to be mixed. To do this, add the following line to .htaccess:
In this configuration, requests from authenticated users will have REMOTE_REALM and REMOTE_USER set, whereas unauthenticated requests will have these values blank. Users can be prompted to authenticate by redirecting to a page that requires authentication (i.e. one that has CosignAllowPublicAccess set to 'off').
The central web server has access to a database of group membership information. You can do simple queries on this database with code like this:
Firstly, remember that this is a single sign-on system, so to truly log out, the user will be logged out of all the web applications that she is currently using. In most situations it's not necessary for the user to log out at all.
A full log out consists of two things:
If you don't clear the local session cookie and only redirect the browser to the CoSign logout URL, the CoSign session will still be logged out, but the local session will still be valid for about a minute because the CoSign filter caches the credentials.
If you only clear the local session cookie, and don't redirect the browser to the CoSign logout URL, the current session will be logged out, but the CoSign session will still be valid, and the user will be transparently logged in again, so it will look like nothing has happened.
The following PHP code will do a full logout:
'nexturl' can be set to any URL you like: the browser will be redirected to it after the logout is complete. If you leave 'nexturl' blank the browser will be redirected to the default CoSign logout page.