I'm probably waaay in over my head, but here goes:
I have set up a rails app and an associated beehive forum (http://www.beehiveforum.net/), both running from subdirectories on the same apache server, with separate databases on the same MySQL instance.
Can anyone suggest how I might go about implementing a single login for both the rails app and php forum, such that registering for one populates the user table of the other, and they can (somehow) 'share' a login session, by which I mean if you login to one, you are automagically logged into both, same for logout (otherwise they don't share any other info or functionality).
Assuming this is even possible, what are the security implications?
Funny you should mention doing this, i'm about to embark on the same adventure.
There are are a few ways.
Have a users database that is separate from both app db's. Store the user/password&salt here, authenticate as per normal, but point users models to the users db.
Have a users SAAS (software as a service) application, that only talks webservices to any other application. This is the way we're going, since we'll have 10+ websites talking to the same user database, and they may eventually be in physically different locations (e.g. across the globe). The SAAS application will respond to a few xmlrpc commands ("authenticate", "has_access") to start with.
So any of our applications can submit login credentials via xmlrpc to our SAAS service using the authenticate function. It will return either the user record in xml format (which they can be used to build the object) if the user checks out or false/nil otherwise.
The has_access will tie into an elaborate ACL scheme we have, to store which user has access to which common sections
But for scalability purposes, number 2 is the way to go, unless you want something quick and fast, and therefore number 1
may be you can get some idea here http://blog.aisleten.com/2007/07/04/integrating-beast-forum-into-a-ruby-on-rails-app-part-1/
Thanks for responding. For the time being I have taken the coward's way out and added this to the forum start page:
"For added security of the [XXXXXX] web site, and registered [XXXXXX] members' private information, the [XXXXXX] Forum has separate registration, logon and logoff."