I would like to get anyone's opinion on how secure they think this integration setup is. I have a site that uses aMember to administer the user accounts on the backend. It is equipped with the postnuke plugin and a modified phpbb plugin that works with PNphpbb. So users that subscribe are put into the postnuke group database and the PNphpbb group database. As far as restricting access to protected content for expired users I encountered a bit of a problem. When a user is expired aMember will only restrict access to protected folders and files and does not remove users from groups in PostNuke or PNphpbb. Therefore, PostNuke cannot be used to control access to certain files or folders using PostNuke permissions for groups. If I use php_include, there are numerous Smarty template errors if used inside a Core PostNuke Block, or even if I decide to initiate the page using the pnINIT() function in the pnAPI and give access to it via a MenuBlock of some sort. So, I've decided that using php_include is not a viable option and .htaccess is also ugly and uncalled for. Using mod_rewrite could work, however my ISP does not have it enabled and as far as I can tell, it allows you to use a custom HTML form to gain access to the products, which could require users to log in more than once. I would assume that the custom form would have to check the member_member SQL table in aMember or use the $_SESSION[_amember_user][data][status] to verify access and without modification on my part would be the login script from aMember. As previously stated in earlier posts the PostNuke plugin for aMember will not log me into PostNuke due to a change in how PostNuke handles session data, per Alex. So, this would not work anyway without a fix to the aMember PostNuke plugin, which I do not have the time for. If I have not lost you yet, this was my fix. First I used the PostNuke pnUserLoggedIn() function in the pnAPI.php file to check to see if the user is logged into PostNuke, else a login form is displayed. Then when the user is logged in I wrote a php function that checks status in the member_member SQL table and if it is valid then diplays protected information. I am fairly new to web security and am wondering if any of you have an opinion as to how secure this might be. Thanks, Jason
Jason, aMember should remove user from groups in phpBB and PostNuke upon expiration. If it doesn't happen it may be a result of incorrect plugin modification! Contact your developers or us (if we made this modification) and require to fix it.