Seamless Auto-Login to WordPress Forum from Laravel using iFrame SSO

In today’s digital ecosystem, it’s common to integrate Laravel-based web applications with community forums or blogs powered by WordPress. But while this multi-platform setup offers the best of both worlds, it introduces a familiar pain point:

How do you log in users to both platforms simultaneously without friction?

The answer: Single Sign-On (SSO) via a lightweight and powerful method — using an <iframe>.

Goal

Enable auto-login and logout to a WordPress forum when a user logs in or out of a Laravel application — silently and securely.

Why Use an <iframe> for SSO

Traditional SSO implementations often rely on complex OAuth, redirections, or risky CORS setups. An iframe-based SSO allows:

1. Silent cross-platform login without redirection.
2. Session cookie preservation in the browser.
3. Bypass SameSite cookie restrictions.
4. No CORS setup headaches.
5. Easy to maintain after a one-time integration.

Real-World Example: Laravel → WordPress

Scenario:
– Laravel App URL: https://example.com
– WordPress Forum URL: https://forum.example.com

When a user logs in to Laravel, they should automatically be logged into the WordPress forum without any extra steps.

The Problem

WordPress relies on browser sessions and cookies to identify logged-in users. If you try logging in via an HTTP call from Laravel, the cookies are set server-side, not in the user’s browser — resulting in no WordPress session.

The Solution: Let the Browser Do the Work

Use an <iframe> in your Laravel Blade template to make a background call to WordPress:

<iframe src=”https://forum.example.com/?user_id=123&ts=1720923000&sig=xyz” style=”display: none;”></iframe>

This silently opens a WordPress login endpoint that:
1. Verifies the request using HMAC-based signature.
2. Calls wp_set_auth_cookie() to log in the user.
3. Sends proper cookies to the browser.

Securing the Login with HMAC Signature

Laravel-side example:

$secret = config("app.wp_sso_secret"); $timestamp = time(); $signature = hash_hmac('sha256', $wpUserId . '|' . $timestamp, $secret);

WordPress functions.php:

Add following code in the functions.php

add_action('init', function () { if (isset($_GET['user_id'], $_GET['ts'], $_GET['sig'])) { //LOGIN $user_id = intval($_GET['user_id']); $timestamp = intval($_GET['ts']); $signature = $_GET['sig']; $secret = 'tqxUAeZWZvXr0m9khJ9FAvWZ'; // MUST match Laravel $expected = hash_hmac('sha256', $user_id . '|' . $timestamp, $secret); if (hash_equals($expected, $signature) && (time() - $timestamp) < 60) { $user = get_user_by('id', $user_id); if ($user) { wp_set_auth_cookie($user->ID, true); wp_set_current_user($user->ID); } } } if (isset($_GET['action']) && $_GET['action'] === 'custom-logout') { //LOGOUT wp_logout(); wp_redirect(home_url()); // or a custom redirect exit; } });

Auto Logout Integration

On Laravel logout, insert a hidden iframe to logout WordPress:

<iframe src="https://forum.example.com/?action=custom-logout" style="display: none;"></iframe>

Prerequisite: Create an Application Password in WordPress

1. Login as an admin in WordPress.
2. Go to Users → Profile.
3. Create a new application password (e.g., Laravel Integration).
4. Store this password securely in your Laravel .env file.

Creating or Fetching WordPress Users from Laravel

Fetch existing WordPress user:

$response = Http::withBasicAuth("wp_admin_username", "application_password") ->get("https://forum.example.com/wp-json/wp/v2/users", [ 'search' => "" ]);

Create a new WordPress user:

$username = explode(‘@’, $webUser->email)[0] . rand(1000, 9999);
$password = bin2hex(random_bytes(8)); // Random password
$createResponse = Http::withBasicAuth($authUser, $authPass)
                ->post(“$wpApiBase/users”, [
                    ‘username’ => $username,
                    ’email’ => $webUser->email,
                    ‘password’ => $password,
                    ‘name’ => $webUser->name ?? $username,
]);

Benefits Summary

✅ Seamless UX – Users stay on Laravel, login to WP happens invisibly
🚫 No Redirects – No jarring redirects or loading delays
🔒 Secure – HMAC + short-lived tokens keep it safe |
💡 Easy Maintenance
🌐 Cross-subdomain friendly – Works between subdomains with proper SameSite & Secure cookie setup

Ideal Use Case

Use iframe SSO when:

– Both Laravel & WordPress are on subdomains.
– You want a clean, instant SSO experience.
– You have control over both systems.
– You want to avoid third-party SSO packages.

Final Thoughts

Implementing auto-login from Laravel to WordPress using an <iframe> is simple, secure, and user-friendly. This approach is perfect for developers who need lightweight SSO without the complexity of full OAuth stacks or third-party services.

Empower your users with a truly seamless experience — login once, access everything.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Gallery

Contacts