Here’s how I did it.

Pre-Requisites

The first order of business is to ensure all the sites being shared are using the same database and users tables. To do this, make sure each site points to the same database and add these to wp-config.php:

define('MASTER_DOMAIN', 'domain.com' ); // Change this to the domain name of your master site
define('CAP_PREFIX', 'wp_') // Change this prefix of your master site
define('CUSTOM_USER_TABLE', CAP_PREFIX.'users');
define('CUSTOM_USER_META_TABLE', CAP_PREFIX.'wp_usermeta');

You could also make this hack in “/wp-includes/capabilities.php”:

CHANGE THIS:

$this->cap_key = $wpdb->prefix . 'capabilities';

TO THIS:

$this->cap_key = defined('CAP_PREFIX') ? CAP_PREFIX . 'capabilities' : $wpdb->prefix . 'capabilities';

Cross Domain Authentication works by defining a central domain (which we will call the master), to store a cookie for each user session. Any of the other domains (we will call them slaves) will either get or send the cookie to the master.

First – store the master and current base urls so we have easy access to them:

$wpcl_master_domain = 'http://'. MASTER_DOMAIN;
$wpcl_current_domain = 'http://'.$_SERVER["SERVER_NAME"];

We call it the current domain because it’s possible that the user might be logged onto the master domain.

On to the actual actions. Firstly, when content on a slave domain is loaded, there are two possible scenarios.

Scenario 1:

The slave does not possess an authenticated cookie. In this case we want to check with the master and create a slave cookie if possible.

• Slave sends a request to the master that asks for a cookie value
• Master sends a request to the slave that provides a cookie value
• Slave authenticates the cookie value and sets slave cookie(s)

Scenario 2:

The slave does posess an authenticated cookie. In this case we want to notify the master and create a master cookie if possible.

• Slave sends a request to the master that provides a cookie value
• Master authenticates the cookie value and sets master cookie(s)

You’ll notice that in both scenarios, there are potentially three actions.

Stage 1, Requesting a Cookie Value:

This is only ever done by a slave to a master, so we don’t need any parameters for the function. We’re also providing information about where to send the cookie back to.

function wpcl_getUrlForCookieRequest(){
	global $wpcl_current_domain, $wpcl_master_domain;
	$target_url = add_query_arg('wpcl-caller', urlencode($wpcl_current_domain), $wpcl_master_domain);
	$target_url = add_query_arg('wpcl-stage', '1', $target_url);
	return $target_url;
}

Stage 2, Sending a Cookie Value:

This could be done by both the slave and the master, so we have an option of the URL to start with. We’re sending the logged-in cookie from the site as a value in the URL.

function wpcl_getUrlToSendCookie($target_url){
	$target_url = add_query_arg('wpcl-logged-in', urlencode($_COOKIE[LOGGED_IN_COOKIE]), $target_url);
	$target_url = add_query_arg('wpcl-stage', '2', $target_url);
	return $target_url;
}

Stage 3, Receiving, authenticating, and setting cookies:

This is super easy with WordPress’ built in functions:

function wpcl_receive_cookie(){
	$userId = wp_validate_auth_cookie(urldecode($_GET['wpcl-logged-in']), 'logged_in');
	if ( $userId === false ) { return; }
	wp_set_auth_cookie($userId);
}

Stage 4, Clear the parameters we were using (Optional):

This is not necessary if we’re doing things in the background (read on), but if you have the need, here’s how to do it:

function wpcl_clear_params() {
	global $wpcl_current_domain;
	$target_url = $wpcl_current_domain .$_SERVER["REQUEST_URI"];
	$target_url = remove_query_arg('wpcl-caller', $target_url);
	$target_url = remove_query_arg('wpcl-logged-in', $target_url);
	$target_url = remove_query_arg('wpcl-stage', $target_url);
	wp_redirect($target_url);
    exit;
}

Let’s move on to the action logic. With the ability to send and receive cookies out of the way, we need to set up some handling methods. The following code monitors the ‘wpcl-stage’ parameter in the URL to determine if any action needs to be carried out. As you can see, if it notices we’re in Stage 1 it will respond with Stage 2. If it notices we’re in Stage 2 it will respond with Stage 3. We want this to happen as early as possible in the WP Lifecycle, as to not waste resources. So we hook it into ‘init’.

function wpcl_action() {
	$wpcl_stage = $_GET['wpcl-stage'];
    switch ($wpcl_stage) {
        case '1':
            $target_url = wpcl_getUrlToSendCookie(urldecode($_GET['wpcl-caller']));
			wp_redirect($target_url);
			exit;
            break;
        case '2':
            wpcl_receive_cookie();
            break;
        default:
			break;
    }
}
add_filter('init', 'wpcl_action', 10, 2);

Almost there; we just need to initialize the entire process. I’ve chosen to use an image link to do this in the background. But, it could be done other ways too. There are some caveats to this method – in particular, doing it in the footer requires a full page load before requesting the cookie. So, a user might not be authenticated until the page refreshes a second time. Nonetheless, this shows one method of how the process can be done in the background.

function wpcl_background() {
	global $wpcl_master_domain, $wpcl_current_domain;

	if ( $wpcl_current_domain == $wpcl_master_domain ) { return; } // Bypass for master

	if ( is_user_logged_in() ) {
		// If logged in on a slave site, send the cookie to the master
		$target_url = wpcl_getUrlToSendCookie($wpcl_master_domain);
	} else {
		// If not logged in on a slave site, request a cookie from the master
		$target_url = wpcl_getUrlForCookieRequest();
	}
	?><img src="<?php echo $target_url; ?>" alt="" style="display=none;"; /><?php
}
add_action('wp_footer', 'wpcl_background');
add_action('admin_footer', 'wpcl_background');

Finally, just make sure this code is loaded and active (as a plugin) in the master domain and all slave domains.

Using this technique, one could potentially enable an infinite number of WordPress sites to share login sessions by utilizing cross-domain authentication and cookie sharing.

View the full code here.

This has been marginally tested and found to be working on both WP Multisite and WP Hive. It comes with no guarantee and no support. If you find it to be useful, please share it with others.

Step 1:
Installed Human Test for BB Press

Step 2:
Used AmR-Users to generate a CSV list of bot users by generating a report that excluded user levels of 0,1,2,3,4,5,6,7,8,9,10 and making the id visible.

Note – my BB Press installation is integrated with WordPress, so they share the same users tables. This method would only work in that case, because if the user doesn’t validate their email address, then it’s not set up with a role in WordPress.

Step 3:
Used Excel to reformat the list – creating a list of all the ID’s, with a comma after.

Step 4:
I wrote a quick script to actually delete the users. The array part was 3100 lines long, just a copy and paste from Excel.

<?php
/*
Plugin Name: Bot Cleanup
Description: Get rid of BBpress bot users.
Version: 0.1
*/
function wphive_delete_now() {
    $ids = array(
        1856,
        1857,
        1234
    );

    if ($_REQUEST['delete'] == 'now') {
        require_once(ABSPATH.'/wp-admin/includes/user.php');
        foreach ($ids as $id) {
            wp_delete_user( $id );
        }
    }
}
add_action('init', 'wphive_delete_now');
?>

Step 5:
Installed it as a plugin in WordPress and activated it. Don’t forget to uninstall it and delete it after you are done.

Step 6:
Loaded up my website with the appropriate GET to activate it:
http://domain.com/index.php?delete=now and Voila! all those spammy users disappeared. I actually had to load it twice because it timed out the first time after deleting about 2400 users.

Coincidentally (or perhaps not), I am also getting regular requests for Web Design work. The problem is that I prefer to focus on what I do best, which is writing great software. As a result, I’ve had to turn down a number of requests for designing themes and other various work on the WordPress front-end.

Instead of turning these clients away, I would like to send them to someone who can take care of the customer the same way I would.  In return, I would expect to get some leads back.

Ideally I would like to work with someone who:

- Has existing clients and a portfolio of work.
- Has a proven method of generating leads and finding new jobs.
- Has had to turn down requests for web-development, in favor of specializing in web-design.
- Is serious about running this venture as business.

The idea is that this would be an on-going symbiotic relationship.

If you are interested in exploring this type of partnership, please contact me.

This code uses the same idea as the above, but fixes more values in _SERVER and resolves a problem with _GET. It will also work with later versions (2.8+) of WordPress.

<?php
// This is the default file for the site. Usually index.php
$default = 'index.php';

// The name of this file.
// Set this value for the URL in Custom Error Properties of your website in IIS.
// Goto: IIS Manager > Websites > [Site Name] > Properties > Custom Errors >
// 404 & 404;2 & 404;3 > URL (Requires a '/' prefix in IIS).
$thisfile = '404-handler.php';

$_SERVER['ORIG_PATH_TRANSLATED'] = str_replace($thisfile, $default, $_SERVER['ORIG_PATH_TRANSLATED']);
$_SERVER['SCRIPT_FILENAME'] = str_replace($thisfile, $default, $_SERVER['SCRIPT_FILENAME']);
$_SERVER['ORIG_PATH_INFO'] = str_replace($thisfile, $default, $_SERVER['ORIG_PATH_INFO']);
$_SERVER['SCRIPT_NAME'] = str_replace($thisfile, $default, $_SERVER['SCRIPT_NAME']);
$_SERVER['PHP_SELF'] = str_replace($thisfile, $default, $_SERVER['PHP_SELF']);
$_SERVER['PATH_INFO'] = false;

$qs =& $_SERVER['QUERY_STRING'];
$ru =& $_SERVER['REQUEST_URI'];
$pos = strrpos($qs, '://');
$pos = strpos($qs, '/', $pos + 4);
$_SERVER['URL'] = $ru = substr($qs, $pos);
$qs = trim(stristr($ru, '?'), '?');

// Required for WordPress 2.8+
$_SERVER['HTTP_X_ORIGINAL_URL'] = $ru;

// Fix GET vars
foreach ( $_GET as $var => $val ) {
  if ( substr($var, 0, 3) == '404') {
    if ( strstr($var, '?') ) {
      $newvar = substr($var, strpos($var, '?') + 1);
      $_GET[$newvar] = $val;
    }
    unset($_GET[$var]);
  }
  break;
}
include($default);
?>