Shared secret keys, stored on the php files are bad. Specially if the code is being showed to the world. Better use a global file on the include_dir with a generic functions
An example:
<?Php include("toolserver_auth");
if (IsAuthenticated()) echo "Hello " . $Toolserver_User; else { if (PHP_FILE == "help.php") print "You will need to log in to see the other pages. \n They're awesome"; else ToolserverAuthNeeded();
echo "You're an authenticated user. Welcome $Toolserver_User";
?>
The Cookie checking and openid work stays on IsAuthenticated() The cookie can be everything, any hash you want and the shared secret can be changed several times a week without problems. The ToolserverAuthNeeded() function would redirect to / show the correct page to log into. It would end with exit() ,stopping the rest of the file.
Sadly, we may need to wait for the single login to have this tools auth working. But having it before would be nice :)
Interiot, i assume you were thinking in using the hash stored for the users password on mediawiki, but i thought it wasn't replicated, that user info wasn't on toolserver ¿?