I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information.

What I’d like to do is this: after someone signs in to the Joomla site, provide a link to the Moodle site which will silently log them in, kind of faking a single-sign-on solution. The passwords in Joomla are MD5’d and each has its own secret salt.

The first thought at how to tackle this was to tell Moodle that the passwords were being stored in plain text, then via a hidden form input, send the encrypted password when they click the link. Aside from the obvious security issues with that, it also meant that should they try to log in via the Moodle interface, they’d need to enter a giant MD5 string, since that’s what Moodle thinks their password is.

I’ve been considering changing the authentication module in Moodle so that if the submitted password matches certain criteria (eg: it’s 32 hex characters), then don’t MD5 it before comparing to the Joomla version – the problem with that is that anyone could (upon discovering the encrypted password) then use that to log in. What I need is some special way to send the encrypted password from Joomla to Moodle and to signal to Moodle to treat that login request differently.

Any thoughts?