MachPanel Knowledgebase

HOW TO:Auto Login using API

: Last Year
: Mudesira Munir
: MachPanel

Summary

This article provides an API code example for autologin in php.

Applies To

This article applies to MachPanel build v5.6.44 and later.

Important Security Note:

Please follow steps mentioned on link below to protecting your website from ClickJacking

https://kb.machsol.com/Knowledgebase/Article/55646

Auto Login using API

MachPanel auto login using API functionality allows direct login to panel via a form submit in client application with below details.

[Note: For client application encryption of keys for auto login, encryption method defined in ‘MachPanelClientHandler.php’ inside WHMCS Integration package should be used. Encryption key defined in API settings should be used to encrypt the keys. ]

Template forms for auto login are given below.

For customer or reseller login

Client application will pass MachPanel CustomerId and API security code to login as customer/reseller account in customer/reseller panel respectively.

Key name for MachPanel CustomerId == ‘cid’

Key name for API security code == ‘scode’

    https://cp.domain.com/auth/login.aspx' method='post' target='_blank'>
    <input type='hidden' name='cid' value=encrypt($MPCustomerId) />
    <input type='hidden' name='scode' value=$scode />
    <input type='submit' value='Login to Control Panel' />
    </form>

For employee login

Client application will pass MachPanel employee login email and API security code to login as an employee account in service provider panel.

Key name for MachPanel employee login == ‘emp’

    https://cp.domain.com/auth/login.aspx' method='post' target='_blank'>
    <input type='hidden' name='emp' value=encrypt($MPEmployeeLogin) />
    <input type='hidden' name='scode' value=$scode />
    <input type='submit' value='Login to Control Panel' />
    </form>

Crypto-Test.php

In PHP when a variable is declared outside the scope of any class or directly in PHP code globally, it is not accessible within any function. For that either PHP GLOBAL array like Session in ASP.Net is used or either classes are defined.

Below is a reference link for above details.
https://stackoverflow.com/questions/13530465/how-to-declare-a-global-variable-in-php

Code Snippet

<?php

class Crypto

{

    var $securityCode = "";

    var $pKey = "";

    function __construct()

    {

      $this->securityCode = "KKKKK0FDDD";

      $this->pKey = "KKKK7RE0BYE55DKXTCNDPIOJ9DDDDJJJ";

    }

  function getRandStr($length) 

  {

    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

    $charactersLength = strlen($characters);

    $randomString = '';

    for ($i = 0; $i < $length; $i++) {

      $randomString .= $characters[rand(0, $charactersLength - 1)];

    }

    return $randomString;//"rUDVy2gI56ZRhE88fAglzrHkMiLY86Vo";//

  }

  function addpadding($string,$blocksize = 32)

  {

    $len = strlen($string);

    $pad = $blocksize - ($len % $blocksize);

    $string .= str_repeat(chr($pad), $pad);

    return $string;

  }

  public function encrypt($string = "")

  {

    $iv = $this->getRandStr(32);

    return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->pKey, $this->addpadding($string), MCRYPT_MODE_CBC, $iv)).$iv;

  }

}

$crypto_obj = new Crypto();

$cid = 112;

$enccid = $crypto_obj->encrypt($cid);

echo "<a href=\"https://cp.domain.com/auth/login.aspx?"

    ."cid=".$enccid

    ."&scode=".$crypto_obj->securityCode

    ."\" target=\"_blank\" style=\"color:#000000\">login to control panel</a><br />";

?>

PHP example of implementing the secure login independent of WHMCS integration using Security code and Encryption key shown in the snapshots below: