I’m developing a virtual community web site. In this community there are users and groups. Users can join/leave groups.
When users create an account, they enter their username/pwd. The system
saves this info on a DB and also creates a Linux account with the same
username/pwd. For logging into the community, users provide their
credentials (username/pwd). The system hashes (md5) the pwd and
compares it against the pwd saved on the DB (also md5-hashed).
Now I want to integrate Openfire with my system in the following manner:
1- Users can use their community credentials to log into Openfire.
2- Whenever an user join a group my system updates his roster by adding all other members of this group.
And I don’t want Openfire to directly access my DB (for security
reasons). And maybe my system will not have permission to update
Openfire’s DB (also for security reasons).
The best solution I could come up with was:
Configure Openfire to use PAM authentication, once each user has a Linux account. (done with step 1).
Whenever a user enters his pwd to log into the community, I use it to
authenticate on Openfire and perform all necessary roster updates
(using jabber msgs). (done with step 2).
The problem is:
There are cases where the user doesn’t need to type his password! The
session, with the help of cookies, can live 2 months or more, even if
the browser is closed, the session is still alive…
So my question is: Is it possible to keep the user ‘authenticated’ on
Openfire until his session on the virtual community expires?
Thanks a lot!!!