First off, I apologize to those who have tried to post comments. I did not realize I had broken my commenting section when I recently uploaded a threaded comment plugin. As far as I can tell, it is fixed.

I’ve received a few emails and requests for more information about linking Symfony to Joomla (Original Post). The questions were pretty varied, but mostly centered around gaining some additional clarity and securing my approach using symmetric encryption.

For some clarity, I should state that this approach uses your standard Joomla authentication to access underlying services. You log into your joomla page and only then can you head off to the symfony service.

The service/application is contained within a com_wrapper. This component requires a little bit of modification. Within wrapper.php you will need to pass some parameters to the service’s url as part of the query string. So at first I did something like:

$url = $url . "?uid=" . $my->id;

Where $my is the global construct containing the user’s data.

Now this brings up an important point about security. By issuing the above GET in the com_wrapper, I’m exposing the user’s id to the world. This could be considered bad. To fix this you could/should ensure that all coms between joomla and your symfony service all use SSL if you’re passing user data. “But this doesn’t cover the bug!” I know, I’m getting to that.

I created a function called “encryptParam($param)”. This function relies on php’s mcrypt library. (Your current installation of php may not be compiled with this enabled, check phpinfo() or with your admin.) The function looks like:

function encryptParam($param)
{
    $init_vect = SHARED_INIT_VECTOR;
    $key = SHARED_SECRET_KEY;
    return = urlencode(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
                                                                          SHARED_SECRET_KEY,
                                                                          $param,
                                                                          MCRYPT_MODE_ECB,
                                                                          $init_vect)));
}

So the above function encrypts a parameter based on a SHARED_INIT_VECTOR and SHARED_SECRET_KEY. The function then base64 encodes the encrypted string and then makes sure any symbols are url encoded. The SHARED_INIT_VECTOR and SHARED_SECRET_KEY should be some random key you generate and defined in both the wrapper.php and your symfony authentication file.

Use mcrypt_get_iv_size and mcrypt_create_iv to create your own init_vect. So now the $url in wrapper.php looks more like:

$url = $url . "?uid=" . encryptParam($my->id);

In the symfony application, when I authenticate the request I then do something like:


$user_id = mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
                                     SHARED_SECRET_KEY,
                                     base64_decode(urldecode($encoded_string)),
                                     MCRYPT_MODE_ECB,
                                     SHARED_INIT_VECTOR);

This gives me the unencrypted user_id that I can now use to verify an active Joomla session using JosSessionsPeer and also use in my user management schemes.

You can make this better by having a scheme for rotating/changing initialization vectors and private keys. This may not be the awesomest approach, but I think it works pretty well all things considered.