Automatic Login from HTTP Authentication

Started by pankus, August 17, 2010, 04:46:35 PM

Previous topic - Next topic

pankus

I would like to implement an automatic login feature for our forums on a local intranet. The username would be taken from $_SERVER['REMOTE_USER'] and then logged in automatically using whatever password was in the database. If the username was not in the database, then it would be created with a random password.

I am using simple machines 1.1.11. I haven't seen anything like this, so I'm wondering if LogInOut.php is the place to make the modifications, or if I should use some of the integration hooks that I have seen people mention.

Any help is appreciated. Thanks.

kriation

Hi Pankus,
You won't have to use the user's password to log them in.

There's a function in Subs-Auth.php called setLoginCookie which will set the cookie for the user.

However, any HTTP header variable can be easily spoofed, and so setting the cookie without verification is not recommended, especially when the verification we're depending on is REMOTE_USER. As long as you feel comfortable with that caveat, you shouldn't have an issue setting the cookie for the user without them authenticating.



pankus

So I have been playing around with the setLoginCookie function from the Subs-Auth module but haven't had much luck; maybe it's my lack of experience with cookies and php in general. I will try to explain my attempts.

I edited Load.php since it seemed to be called on every page. Then I retrieved the appropriate ID_MEMBER for the authenticated user, and used setLoginCookie with a timeout and ID_MEMBER. However, I am at a loss for what to do after this. my attempts to call Login2() result in a redirect error. Maybe I am misunderstanding how the login process works.

Thanks.

pankus

Well, this is what I ended up doing. I'm sure it isn't very secure, but if people are spoofing remote_user then IT has bigger things to worry about than a 20 member forum. It also leads to some admin wonkiness, but so far I haven't seen any real problems.
in index.php:
$rem_user = $_SERVER['REMOTE_USER'];
$result = db_query("
SELECT ID_MEMBER,passwd
FROM smf_members
WHERE memberName = '$rem_user'
LIMIT 1", __FILE__, __LINE__);

$row = mysql_fetch_assoc($result);
$memid = strval($row['ID_MEMBER']);
$user_settings['passwd'] = $row['passwd'];
mysql_free_result($result);


require_once($sourcedir . '/Subs-Auth.php');
$user_settings['passwordSalt'] = substr(md5(mt_rand()), 0, 4);
updateMemberData($ID_MEMBER, array('passwordSalt' => '\'' . $user_settings['passwordSalt'] . '\''));
setLoginCookie(3153600,$memid, sha1($user_settings['passwd'] . $user_settings['passwordSalt']));


kriation


moufa

Hello i am working on a similar thing. Will this above code work for the 2.0.10 version? Moreover i have a question

the setLoginCookie function requires to password to be already hashed or in plain text? from the code above it seems that the password is first hashed with SHA1 and then is passed as a parameter to the function. thanks

Kindred

the password is *NEVER* passed in plain text
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."


moufa

thanks guys! i figure out the issue and is working fine!  :D

moufa

Quote from: live627 on May 29, 2015, 07:26:20 PM
setLoginCookie requires to password to be already hashed

http://support.simplemachines.org/function_db/index.php?action=view_function;id=246


excuse me for reopening this thread. a quick question. although i am setting the login cookie for the admin to automatically login to the forum when he tries to access the admin panel it still asks for the admin password.
is this for security reasons or is there another way to bypass this second login process?

when he actually logins it doesnt ask for that. when you set the cookie for auto login it does. i dont know how this works so any comment would be appreciated. thank you

live627

Security, yes. There is a setting to turn it off somewhere in the admin panel... I don't remember it off the top of my head, though.

moufa

Quote from: live627 on June 10, 2015, 04:56:23 AM
Security, yes. There is a setting to turn it off somewhere in the admin panel... I don't remember it off the top of my head, though.


thanks i found the option in the admin panel  :)

Advertisement: