I ended up using the ‘plugins_loaded’ action or state from http://codex.wordpress.org/Plugin_API/Action_Reference:
In my main plugin file I have:
include_once( 'lib/class-my-auth.php' ); // your class file here
add_action( 'plugins_loaded', 'My_Auth::auto_login' );
In lib/class-my-auth.php:
<?php
class My_Auth {
private static $successfully_connected_Main_to_WP = false;
public static function auto_login() {
$username = ...; // Integrate with main site to get username from active session
// Check if WP user is logged in
if ( is_user_logged_in() ) {
// Get current WP user
$current_wp_user = wp_get_current_user();
// Logout if the current WP user is different than the main site user
if ( strToLower( $username ) !== strToLower( $curren_wp_user->user_login ) ) {
self::logout_of_wp();
} else {
self::$successfully_connected_Main_to_WP = true;
}
}
// If a connection b/w main site & WP has not been established, login if possible
if ( ! self::$successfully_connected_Main_to_WP && $user_info = get_userdatabylogin($username) ) {
$user_id = $user_info->ID;
if ( $user_id > 0 ) {
wp_set_auth_cookie( $user_id );
wp_set_current_user( $user_id );
self::$successfully_connected_Main_to_WP = true;
}
}
}
// If no connection b/w main site & WP was established, and the user is
// logged in, logout.
if ( ! self::$successfully_connected_Main_to_WP && is_user_logged_in() ) {
self::logout_of_wp();
}
}
private static function logout_of_wp() {
// Clear the auth cookie, and do other stuff
wp_clear_auth_cookie();
do_action('wp_logout');
// Unset the current user
wp_set_current_user(0);
}
}