WordPress w/ Forms Authentication on IIS6

I know I said yesterday that I’d start a series about creating dotnetnuke modules, but I solved a problem yesterday after I wrote that post that I think a lot of you will be interested in.  Especially if you are using wordpress in combination with an ASP.NET site.

The problem we had was this.  We have an ASP.NET web site that requires a login before anyone can see any pages.  We wanted to add a WordPress blog to it that could only be viewed when people log in and wanted to be able to have the same user names in WordPress that they had in ASP.NET.

I did see one plug in that would let us log in to WordPress using forms authentication.  But, it only works under IIS7.  We are still using IIS6, as most of the world is, so that solution wasn’t going to work.

So, here’s what we did.  Most of the work was on the WordPress side, which required a bit of PHP knowledge.  I’ll be the first to admit that I know very little PHP.  But, I do know enough to hack it when I have to.  So, on the ASP.NET side, all I did was set a cookie to the username after the user logged in.  That gets the username some place where WordPress can see it without too much effort.

To force WordPress to require a login, we used the Authenticate plugin.  So, the only real work we needed to do was to create a system that forces the user to use the Login.aspx page on the main site, create a new user if they user doesn’t exist, and log the user into WordPress.  Since only one or two users need special privileges, we left assigning roles to the user as a manual process.

Here is our PHP code, commented so you can see how we got this working.  This code should replace wp-login.php.  There is probably some elegant way of making this work as a plug-in, but I’m not really a php programmer, I just play one on TV.  If you know how to make it into a plug-in, let me know.

require( dirname(__FILE__) . '/wp-config.php' );
require_once( ABSPATH . WPINC . '/registration.php');

function smartLogin() {

echo "start smartLogin";

    $errors = new WP_Error();

  // If no cookie was set, they have not
  // logged into the main site.
        $user_login = $_COOKIE['wpuser_zzz'];
    // If they aren't logged in, see what
    // WordPress page they were trying to access
        if( isset($_REQUEST['redirect_to']) )
            $returnUrl = '?returnUrl=' .
            $returnUrl = '?returnUrl=' .

    // and send them to the login.aspx page with
    // the page they were trying to get to as the
    // returnUrl parameter.
        header('Location: ' . get_option('siteurl') .
        '/../login.aspx' . $returnUrl);


    $user_login = sanitize_user( $user_login );

  // If the user doesn't exist in WordPress yet, create them
  // use the md5 hash of the username as the password
  // (so they can't guess it... you may want to salt the md5)
    if ( !username_exists( $user_login ) )
        $user_id = wp_create_user( $user_login, md5($user_login), "" );

  // Once the user is created, log them in.

  // Now, redirect them back to the page
  // they were trying to get to
  // or the main blog page if you can't find
  // the original page
    $redirect_to = get_option('siteurl');
    if ( isset( $_REQUEST['redirect_to'] ) )
        $redirect_to = $_REQUEST['redirect_to'];

        header('Location: ' . $redirect_to);

    return $user_id;

// call the function above


Related Post

12 Responses to “WordPress w/ Forms Authentication on IIS6”

  • Very cool addition to the WordPress toolbox.

  • Kaly:

    Hello There,
    I haven’t tried the code yet, but before doing so, what about the admin account in wordpress? the one you enter when installing wordpress?

  • Dave:

    The easiest thing to do is to create a user using this method. Turn off this method long enough to login as admin and set the new user to have admin rights and then turn this back on. Admin won’t be available while this is turned on.

  • Kaly:

    Thanks for your reply Dave,
    but the script doesn’t seem to work with me.
    When I replaced the wp-login.php file with your script, the first problem i faced was :
    Warning: Cannot modify header information – headers already sent by (output started at C:\Program Files\xampp\htdocs\wordpress\wp-login.php:16) in C:\Program Files\xampp\htdocs\wordpress\wp-login.php on line 40

    Then I took off the “echo ‘smartLogin’; line and it worked…
    Now the next problem is that I don’t think the script is creating any usier, in other words, if i click on LOGIN in wordpress, it redirects me to the login.aspx page but that’s the only thing that it’s doing, it’s not creating the cookie and it’s not creating any user in wordpress DB

    Any ideas?

    PS: will this script work if I’m using two seperate domains? if wordpress is hosted on a unix server and my .net application is hosted on a windows server?


  • Dave:

    Cookies are domain specific. So, no it won’t work.

    We placed our blog as a subdirectory under our asp.net site.

    You MAY be able to get it to work across domains by doing something with redirects and passing parameters but that sounds like a recipe for a security issue to me.

  • Kaly:

    Hello Dave,
    Is there a demo Login.aspx page for this method? I don’t seem to get it to work properly coz I lag knowledge in .NET


  • Dave:

    Sorry, I’m not sure that the code would help you if you don’t know .NET

    If you are using .NET 2.0 or greater, you’ll need to trap the authentication event handler to set the cookie once the use has been authenticated. If you are using .NET 1.1 you’d have to roll your own authentication anyhow.

  • Kaly:

    Hello Dave,
    I finally got it to work !
    The only problem I’m facing is the logout !
    When I click logout nothing’s happening, maybe a code should be added to delete the cookie on logout?

  • Elie:

    Kaly is right
    the logout isn’t working

  • Dave:

    Right, you’ll need to delete the cookie.

  • Kaly:

    Hello Dave,
    I know you have to delete the cookie, I created a button in the sidebar that links to a php page with a simple code to delete the cookie we created earlier, but it’s not deleting anything, is there an easier way to implement it with the logout button of wordpress?


  • Khalil:

    Hi Dave,
    the function is working properly, but the problem is that when the user is logs out, and after deleting the cookie we created in the asp page, the user is considered still logged in, because wordpress cookies aren’t deleted, any solution for that?

Leave a Reply

Comment Policy:

  • You must verify your comment by responding to the automated email that is sent to your email address. Unverified comments will never show.Leave a good comment that adds to the conversation and I'll leave your link in.
  • Leave me pure spam and I'll delete it.
  • Leave a general comment and I'll remove the link but keep the comment.

Notify me of followup comments via e-mail