Customizing SMF > SMF Coding Discussion

SMF Cookie Format?

(1/2) > >>

Mike Bobbitt:
Hi all,

I'm the author of album.pl, a photo gallery that can be used with SMF (among other forums).

I'd like to be able to read (but not write) SMF cookies for auto-login. Problem is, they're different from what I've seen in the past. Anyone know what the format is?

Looks like it's got the username (escaped somehow?) and then a hashed password, but I can't guess the format of either. Before I go digging in the code, I thought I'd ask here.


Thanks

Grudge:
Hi,

The cookie is set here:

--- Code: ---setcookie($cookiename, serialize(array($ID_MEMBER, $password)), time() + (60 * $modSettings['cookieTime']), $cookie_url[1], $cookie_url[0], 0);

--- End code ---

As you can see it's a serialized version of the ID_MEMBER and the password. The password itself is generated by these two lines:

--- Code: ---$md5_passwrd = md5_hmac($_REQUEST['passwrd'], strtolower($_REQUEST['user']));
$password = md5_hmac($md5_passwrd, 'ys');

--- End code ---

So basically it's double hashed, and uses the username and password entered by the user to generate the "password".

md5_hmac is a custom function used by SMF and is this:

--- Code: ---// MD5 Encryption.
function md5_hmac($data, $key)
{
if (strlen($key) > 64)
$key = pack('H*', md5($key));
$key  = str_pad($key, 64, chr(0x00));

$k_ipad = $key ^ str_repeat(chr(0x36), 64);
$k_opad = $key ^ str_repeat(chr(0x5c), 64);

return md5($k_opad . pack('H*', md5($k_ipad . $data)));
}

--- End code ---

Hope this helps.

Mike Bobbitt:
Thanks, that's exactly the info I was looking for... Appreciate you providing the code sample and the explaination! Looks like I'll have an "SMF compatibile" version shortly...  8)


Cheers

[Unknown]:
Just a warning, not trying to be mean or anything here, but do remember that the code he quoted is *still* under the same license as the other SMF code.

We're looking into the possibility of offering that and other segments in other languages in different licenses.  However, this is important to note if you are using GPL or etc. as your license.

Please contact Jeff Lewis or Joseph Fung - or even me - for more information.

Thanks,
-[Unknown]

Mike Bobbitt:
Ahhh, thanks for the note... album.pl is actually written in perl, so none of the SMF code will appear in it. In fact, I believe I can do the "double HMAC" bit with builtin packages. It looks identical to the YaBB SE HMAC method, which I've already written in Perl.

Good to know though, as it wouldn't have crossed my mind otherwise.

Thanks again...

Navigation

[0] Message Index

[#] Next page