Home » none » WordPress w/ Forms Authentication on IIS6

WordPress w/ Forms Authentication on IIS6

I know I said yesterday that I’d start a series about creating DotNetNuke modules, but I solved a problem yesterday after I wrote that post that I think a lot of you will be interested in.  Especially if you are using WordPress in combination with an ASP.NET site.

The problem we had was this.  We have an ASP.NET web site that requires a login before anyone can see any pages.  We wanted to add a WordPress blog to it that could only be viewed when people log in and wanted to be able to have the same user names in WordPress that they had in ASP.NET.

I did see one plug in that would let us log in to WordPress using forms authentication.  But, it only works under IIS7.  We are still using IIS6, as most of the world is, so that solution wasn’t going to work.

So, here’s what we did.  Most of the work was on the WordPress side, which required a bit of PHP knowledge.  I’ll be the first to admit that I know very little PHP.  But, I do know enough to hack it when I have to.  So, on the ASP.NET side, all I did was set a cookie to the username after the user logged in.  That gets the username some place where WordPress can see it without too much effort.

To force WordPress to require a login, we used the Authenticate plugin.  So, the only real work we needed to do was to create a system that forces the user to use the Login.aspx page on the main site, create a new user if they user doesn’t exist, and log the user into WordPress.  Since only one or two users need special privileges, we left assigning roles to the user as a manual process.

Here is our PHP code, commented so you can see how we got this working.  This code should replace wp-login.php.  There is probably some elegant way of making this work as a plug-in, but I’m not really a php programmer, I just play one on TV.  If you know how to make it into a plug-in, let me know.

require( dirname(__FILE__) . '/wp-config.php' );
require_once( ABSPATH . WPINC . '/registration.php');

function smartLogin() {

echo "start smartLogin";

    $errors = new WP_Error();

  // If no cookie was set, they have not
  // logged into the main site.
        $user_login = $_COOKIE['wpuser_zzz'];
    // If they aren't logged in, see what 
    // WordPress page they were trying to access
        if( isset($_REQUEST['redirect_to']) )
            $returnUrl = '?returnUrl=' . 
            $returnUrl = '?returnUrl=' . 
    // and send them to the login.aspx page with 
    // the page they were trying to get to as the
    // returnUrl parameter.
        header('Location: ' . get_option('siteurl') . 
        '/../login.aspx' . $returnUrl);


    $user_login = sanitize_user( $user_login );

  // If the user doesn't exist in WordPress yet, create them
  // use the md5 hash of the username as the password
  // (so they can't guess it... you may want to salt the md5)
    if ( !username_exists( $user_login ) )
        $user_id = wp_create_user( $user_login, md5($user_login), "" );
  // Once the user is created, log them in.  
  // Now, redirect them back to the page 
  // they were trying to get to
  // or the main blog page if you can't find
  // the original page
    $redirect_to = get_option('siteurl');
    if ( isset( $_REQUEST['redirect_to'] ) )
        $redirect_to = $_REQUEST['redirect_to'];

        header('Location: ' . $redirect_to);

    return $user_id; 

// call the function above


Like this Article? Subscribe to get every article sent to your email.

Related Post

  • DotNetNuke Modules – Creating Base ModulesDotNetNuke Modules – Creating Base Modules Now that we have DotNetNuke installed into Visual Studio we can go ahead and create our first modules. Actually, creating the modules is pretty simple. But it is even easier to do it […]
  • Forms Authentication – Creating UsersForms Authentication – Creating Users Last week we installed the tables into our database and set up the database connection so that we could implement forms based authentication. This week, we need to put into place a way […]
  • CMS vs Code It YourselfCMS vs Code It Yourself This post has been percolating in my brain for several weeks now and I think it’s finally at the point where it’s “done.”  Well, see… The problem area is this.  At what point […]
  • Forms Authentication – Managing UsersForms Authentication – Managing Users While there are a lot of controls available in ASP.NET that allow you to manage forms authentication, one control that doesn’t exist is something that will allow you to manage your user […]
  • The Google Appliance and Forms AuthenticationThe Google Appliance and Forms Authentication I’ve been working with a client to implement the Google Appliance on one of their sites that has forms authentication enabled.For those of you who aren’t aware, Google provides a […]

About Dave Bush

Dave Bush is a Full Stack ASP.NET developer. His commitment to quality through test driven development, vast knowledge of C#, HTML, CSS and JavaScript as well as his ability to mentor younger programmers and his passion for Agile/Scrum as defined by the Agile Manifesto and the Scrum Alliance will certainly be an asset to your organization.

  • http://lloydbudd.com/ Lloyd Budd

    Very cool addition to the WordPress toolbox.

  • Kaly

    Hello There,
    I haven’t tried the code yet, but before doing so, what about the admin account in wordpress? the one you enter when installing wordpress?

  • Dave

    The easiest thing to do is to create a user using this method. Turn off this method long enough to login as admin and set the new user to have admin rights and then turn this back on. Admin won’t be available while this is turned on.

  • Kaly

    Thanks for your reply Dave,
    but the script doesn’t seem to work with me.
    When I replaced the wp-login.php file with your script, the first problem i faced was :
    Warning: Cannot modify header information – headers already sent by (output started at C:\Program Files\xampp\htdocs\wordpress\wp-login.php:16) in C:\Program Files\xampp\htdocs\wordpress\wp-login.php on line 40

    Then I took off the “echo ‘smartLogin’; line and it worked…
    Now the next problem is that I don’t think the script is creating any usier, in other words, if i click on LOGIN in wordpress, it redirects me to the login.aspx page but that’s the only thing that it’s doing, it’s not creating the cookie and it’s not creating any user in wordpress DB

    Any ideas?

    PS: will this script work if I’m using two seperate domains? if wordpress is hosted on a unix server and my .net application is hosted on a windows server?


  • Dave

    Cookies are domain specific. So, no it won’t work.

    We placed our blog as a subdirectory under our asp.net site.

    You MAY be able to get it to work across domains by doing something with redirects and passing parameters but that sounds like a recipe for a security issue to me.

  • Kaly

    Hello Dave,
    Is there a demo Login.aspx page for this method? I don’t seem to get it to work properly coz I lag knowledge in .NET


  • Dave

    Sorry, I’m not sure that the code would help you if you don’t know .NET

    If you are using .NET 2.0 or greater, you’ll need to trap the authentication event handler to set the cookie once the use has been authenticated. If you are using .NET 1.1 you’d have to roll your own authentication anyhow.

  • Kaly

    Hello Dave,
    I finally got it to work !
    The only problem I’m facing is the logout !
    When I click logout nothing’s happening, maybe a code should be added to delete the cookie on logout?

  • Elie

    Kaly is right
    the logout isn’t working

  • Dave

    Right, you’ll need to delete the cookie.

  • Kaly

    Hello Dave,
    I know you have to delete the cookie, I created a button in the sidebar that links to a php page with a simple code to delete the cookie we created earlier, but it’s not deleting anything, is there an easier way to implement it with the logout button of wordpress?


  • Khalil

    Hi Dave,
    the function is working properly, but the problem is that when the user is logs out, and after deleting the cookie we created in the asp page, the user is considered still logged in, because wordpress cookies aren’t deleted, any solution for that?