I have developed a Chrome Extension which calls some APIs on my website, which in turn uses PHPAuth/PHPAuth for authentication. Basically, I have the user enter the Username and Password for the website as an Extension Option and I call a Login API on my website as follows.
if (isset($_POST['email']) && isset($_POST['password'])) {
                $email = $_POST['email'];
                $password = $_POST['password'];
                if($auth->isLogged()) {
                    $userId = $auth->getSessionUID($_COOKIE[$authConfig->cookie_name]);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }
                $login = $auth->login($email, $password, true);
                if($login['error']) {
                    die($login['message']);
                } else {
                    $userId = $auth->getSessionUID($login['hash']);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }
            } else {
                die('Error');
            }
This works to temporarily consider the user authenticated, but does not actually log the user into the website. In other words, when I open a password protected page via an iFrame, it shows me the User Login form.
Can someone tell me what I am doing wrong, or a better way to go about what I need.
Basically, I am saving the user the need to keep logging in every time and open protected pages, once he is made to log in.
Check if manifest.json does contain your website URL and all required subdomains for example
"permissions": [
  "http://example.com/",
  "http://*.example.com/",
  "https://example.com/",
  "https://*.example.com/"
],
Also, you can communicate with website in a bit different way for example:
first time when you login to your website it could return a token which you can store in the browser local storage and on the server side against the user.
This token should send later from the extension along with the request to your website.
on the website side you should check if this token exists ; if it belongs to the right user ; and didn't expire. if is correct then perform requested by user action.
And to be honest much more secure would be to use OAuth_2.0 which is more secure then username / password authentication within extension context
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With