Automatic logging in to Plesk is useful for integration purposes, so that customers who have logged in to some other system could access Plesk without having to log in for the second time.

To implement automatic logging in, you need to have an integration script that contains an XML API request to create a session token for a single-use URL. The script will log in users to Plesk using the URL that contains either of the following:

  • (Recommended) A session token
  • (Not recommended for security reasons) User login and password

Automatic Logging in to Plesk Using Session Tokens

To configure automatic logging in using session tokens:

  1. Set up your integration script to create a session token. To do so, send an XML API request using the create_session node, for example:

    <packet version="1.6.9.1">
      <server>
        <create_session>
          <login>admin</login>
          <data>
            <user_ip>192.0.2.1</user_ip>
            <source_server></source_server>
          </data>
        </create_session>
      </server>
    </packet>
    

    The following parameters must contain your values:

    • login is the login of a Plesk user for whom you need to create a session.
    • user_ip is the user’s IP address in plain text or encoded in base64 (for example, MTkyLjAuMi4x).
    • (Optional) source_server is the hostname of the computer from which the request is sent encoded in base64.

    Nota: The create_session operation is available for the Plesk administrator, customers, and resellers. The Plesk administrator can create session tokens for themselves, resellers and customers; resellers—for themselves and their customers only; customers—for themselves only.

    Instead of sending an XML API request directly, you can insert it into an XML file and send it via curl, for example:

    curl –kLi -H "Content-Type: text/xml" -H "HTTP_AUTH_LOGIN: admin" -H "HTTP_AUTH_PASSWD: password" -H "HTTP_PRETTY_PRINT: TRUE" -d @request.xml https:<server-hostname-or-ip>/enterprise/control/agent.php
    

    where

    • admin and password are the Plesk administrator credentials used to log in to the Plesk server.
    • request.xml is an XML file containing an XML API request that creates a session token (for example, the request shown above).
    • server-hostname-or-ip is the hostname or IP address of the Plesk server for which you want to create a session token.

    The Plesk XML API will create a session token and send it in the response, for example:

    <?xml version="1.0" encoding="UTF-8"?>
    <packet version="1.6.9.1">
      <server>
        <create_session>
          <result>
            <status>ok</status>
            <id>df9d386ee5ef13dbcd583c1f616857a2</id>
          </result>
        </create_session>
      </server>
    </packet>
    

    The id tag contains a session token (df9d386ee5ef13dbcd583c1f616857a2 in the example). The script will use this token in a single-use URL for logging in.

  2. The script will redirect the user’s browser to rsession_init.php and the user will be logged in to Plesk. The single-use URL for logging in is has the following pattern:

    https://<server-hostname-or-ip>:8443/enterprise/rsession_init.php?PLESKSESSID=<session_token>&success_redirect_url=<success_redirect_url>&failure_redirect_url=<failure_redirect_url>
    

    where:

    • <server-hostname-or-ip> is the hostname or IP address of the server for which you have created a session token.
    • <session_token> is a created session token.

    You can also specify the following optional parameters:

    • <success_redirect_url> is the URL to which the browser will be redirected after a successful login.
    • <failure_redirect_url> is the URL to which the browser will be redirected after a Plesk session has expired or a user was logged out.
    • <locale_id> is the name of the locale that will be used upon logging in (such as de-DE).

    The URL for logging in can look like the following:

    https://192.0.2.1:8443/enterprise/rsession_init.php?PLESKSESSID=df9d386ee5ef13dbcd583c1f616857a2&success_redirect_url=/admin/customer/list
    

    Nota: We recommend that you use relative URLs (they start with /) in success_redirect_url and failure_redirect_url parameters, for example: /admin/customer/list. To redirect to the hostnames different from Plesk, you need to use absolute URLs in the parameters (for example, example.com) and also in the trustedRedirectHosts setting in the panel.ini file (see the next step).

  3. If you set up automatic logging in to Plesk with success_redirect_url and/or failure_redirect_url parameters that redirect to the hostnames different from Plesk and have absolute URLs, protect your Plesk server against open redirect. To do so, add the following entry to the panel.ini file:

    [security]
    trustedRedirectHosts = hostname1,hostname2
    

    Where hostname1 and hostname2 are trustworthy hostnames to which you allow URL redirection via the success_redirect_url and failure_redirect_url parameters.

    Learn more about protecting your Plesk against open redirect.

Automatic Logging in to Plesk Using Credentials

You can also configure automated logging in without creating a session token: by passing a user login and password as parameters in the URL. For security reasons, we do not recommend this approach.

If you still want to go with it, the URL for logging in will have the following pattern:

https://<server-hostname-or-ip>:8443/login_up.php3?login_name=<login>&passwd=<password>&success_redirect_url=<success_redirect_url>&failure_redirect_url=<failure_redirect_url>

where

  • <server-hostname-or-ip> is the hostname or IP address of the server for which you have created a session token.
  • <login> and <password> are the user’s login and password, respectively.

You can also specify the following optional parameters:

  • <success_redirect_url> is the URL to which the browser will be redirected after a successful login.
  • <failure_redirect_url> is the URL to which the browser will be redirected after a Plesk session has expired or a user was logged out.
  • <locale_id> is the name of the locale that will be used upon logging in (such as de-DE).