Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+6 votes
in Q2A Core by
edited by


  • Running a q2a forum siteQ.com
  • Running a custom website siteB.com with a custom script for user logins. 
  • I want to get rid of the custom login script. Instead I would like to use the table "qa_users" from siteQ.com (q2a forum) for the login handling.
  • I know already that I can access the q2a db and files from siteB.com via external integration


1. User does his login on siteB.com using table qa_users (works already with external integration)

2. User coming from siteB.com visits siteQ.com which recognizes the user as loggedin.

By the way, you know this login feature from Google and Stackexchange, for instance.


How can this be implemented?


I researched already and found on stackoverflow: 1, 2, 3. But probably there is a simpler way within question2answer.

Q2A version: 1.7.4
I thought I could just do from siteB.com: <form method="post" action="https://siteQ.com/login"> BUT the q2a forum expects the security token.
Are the 2 domains on the same server?
Yes, full root access and same database.
I think the way to achieve this is by using AJAX. I found an example here and will try to test it soon: https://github.com/0k/multidomain-sso

2 Answers

+2 votes

To report back what solution I implemented: 

1. Created a plugin that is basically a copy of page login.php (e. g. /externallogin/)

2. Plugin receives parameters (email, encrypted password and form security code) by the URL  

3. Plugin processes login, without any redirect or alike.

4. Plugin uploaded to 2 external forums (that use the same userbase as the main site!)


5. Core hack of qa-include/pages/login.php to output the IMG embeds which load our external login scripts (plugin!). We encrypt our password to NOT send it as plain text. It is not 100 % safe but better than plain text! And all my sites are running on HTTPS/SSL. The following code comes after $topath = qa_get('to');

// Q2APRO HACK for Multiple Logins (single sign-on)

// first we must decrypt the password 

$encryption_key = '12345678123456781234567812345678'; // your KEY
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
$inpassword_encrypted = openssl_encrypt($inpassword, 'aes-256-cbc', $encryption_key, OPENSSL_RAW_DATA, $iv);
$inpassword_encrypted = $inpassword_encrypted . ':' . base64_encode($iv);

// decrypt 
// $parts = explode(':', $inpassword_encrypted);
// $decrypted = openssl_decrypt($parts[0], 'aes-256-cbc', $encryption_key, OPENSSL_RAW_DATA, base64_decode($parts[1]));

$inpassword_encrypted = urlencode($inpassword_encrypted);
$formcode = qa_post_text('code');

// do multiple login requests using image embeds
$output = '
function do_redirect()
<body onload="do_redirect()">
<div style="display:none;">
    <img src="//www.myexternalsiteA.com/externallogin?eh='.$inemailhandle.'&p='.$inpassword_encrypted.'&c='.$formcode.'"/> 
    <img src="//www.myexternalsiteB.com/externallogin?eh='.$inemailhandle.'&p='.$inpassword_encrypted.'&c='.$formcode.'"/> 

echo $output;


Hope that helps.

There are other ways to achieve single sign on / multiple logins, here are a couple of links that give you some ideas: 

0 votes

If you do not want to share your DB with the WordPress installation, you can use one more WordPress installation as a single sign-on server.


For us,

We have

https://publicityport.com (WordPress)

https://softwaretestingboard.com (WordPress MultiSite)

https://softwaretestingboard.com/qna (Question2Answer)

https://digitalmarketing.q2a.io (Question2Answer)

All four site can connect to one common server, https://myaccount.publicityport.com to get the user authorized.

So, users do not really have to create a separate account for all sites. 

For, WordPress you can create a single sign-on client. And for Q2A, you can use the plugin, https://github.com/PublicityPort/q2a-publicityport-login

Please don't spam here. It seems you are copying and pasting same content into the site.
It's not spamming. The answer is relevant to questions asked. If you find it spamming, I apologize for the inconvenience.
Wordpress was indeed not asked for. That's why Yogendra thinks it is spam. -- Does the plugin above work without dependencies as Single-Sign-On?
I understand. But, there is nothing wrong to look at the possible solutions. You can simply make SSO out of any other CMS or framework, if not WordPress.

What I tried to convey is that the solution is possible and I just shared what I have.

You are right, the plugin does not work w/o dependency as SSO. But, I think that is the best possible solution we have right now if you want to scale your site.
...trying to clarify. Apologies if I came out harsh.

I know you've been trying to help the community. However, copying and pasting same content in most of the related questions (maybe) seems spam post. It sometimes irritates to see the same thing all around.




Thank you for pointing that out.
I agree with your point. I have removed my answer or edited wherever it's required.

That's the best I can do :)
Anyways, thank you for helping the community.