I’m not familiar with simplemachines in particular, but here are a
If you have database access to the simplemachines db and you’re
operating in the same domain you should see whatever cookie their
system is using to continue their session at simplemachines. Simply
verifying this cookie against the SM db would allow you to establish
a new session for them in the rails app.
Alternatively if you’re operating in a different domain but still
have access to the SM db, you could have them authenticate again
against this database (or see my next option).
Otherwise, if you can modify the SM source you can append an argument
to all links which provides a secure key to your rails system. A
simple example being a user id for the authenticated user along with
an expiration timestamp and a secret key. Hash all of those together
to provide some authentication. Basically your generated link URL
or something along those lines. Since the key is secret an attacker
who has not directly sniffed the traffic should not be able to
generate a matching hash. Obviously this is not an optimum level of
security, but it little worse than a directly authenticated app where
cookies are used for session preservation.
If none of the above are options, I’m afraid you’ve tapped me for
ideas. Hopefully this has provided you with some useful inspiration.