i have a running AngularJS App and use Stamplay as the backend. Discourse is running in a Subfolder.
SSO.php file (with the sig, sso, userID and userName parameter), where is use the PHP Helper from @cviebrock.
This works and the user is logged in in both apps (AngularJS Main App and forum).
This flow is insecure, because if the user copy the sig and sso parameter from the Discourse redirect and hits the SSO.php file with this parameter + the user parameter he can login in the forum as any user he want’s.
Any ideas how to make this flow secure?