How to create SMF Cookie to share login between page and forum ?

[neredsenvy]

Hi,

So i want my users to only register and login once. I already have the registration part working and they can manually
login to the forum but i want to merge my login for website and forum.

My website users will have same userid as forum users and same password encryption sha1( lowercase(username) + password ).

How can i use $_COOKIE[]... to create a SMF login cookie so that when they click on Forum they are redirected to the forum
and already logged in.

Thanks for all the help in advance.

[Arantor]

Easy: don't bother having multiple sets of data, just use SMF's and be done with it entirely.

Make sure the cookies are set to be 'subdomain independent' and you can just include SSI.php in your main website which will verify SMF's cookie for being logged in.

See: How do I integrate SMF into my PHP coded website?

[Arantor]

SMF just isn't designed the way you want it to be.

You could, I guess, use the integration hooks to delegate everything over to you CI setup, assuming the accounts have the same ids.

[Arantor]

You want a newbie answer but you've written an application in CodeIgniter?

Honestly, what you want is not to manipulate it from CodeIgniter. What you want to do is set up an integration hook from SMF, specifically a function that should be called at integrate_verify_login, which should check your CodeIgniter app's cookie and determine the SMF user id from that.

All you need to do to make that happen is make sure that in the smf_settings table, the value for integrate_verify_login contains the name of a function that will be called to do your login system.

[Arantor]

It's difficult because you're going out and making it more difficult for yourself.

Are you certain, for example, that your custom login system is robust against things like session fixation? SMF's is proven to be the case. Using that as a single login system is, honestly, a lot better.

Not to mention that creating multiple cookies as you want is not only a bad idea from a security perspective, it's also grossly inefficient because both cookies will be sent back and forth every single page, image, CSS, JavaScript request. You *really* want to keep cookies kept to as few as possible.

[Arantor]

Then why not just use SMF itself with a custom page mod or two?

[Arantor]

In which case go with my earlier suggestion. (Note, you could go to any other forum system, you'll have much the same problem)

I don't know how your login system works so I can't tell you how to write the function that you need.

[Arantor]

How is the session id generated exactly? You're using the PHPSESSID cookie for this?!?!

[Arantor]

Which DOES create a cookie, with the name PHPSESSID, which is about the most insecure setup you can imagine.

Forget what I said. Any bridging to this system will compromise your forum.

[Arantor]

I'm not telling you how to make your forum (and potentially your entire server) insecure.

[Kindred]

why don't you just *ADD* smf processing to your existing pages?

If all you want is dual-login, then do just that.
Use SSI_login to handle the login.

once you have loaded SSI, you have access to all of the SMF arrays, like user_info and context...

why do you have to use the (insecure) system which you tried to develop? Just use your pages content to generate the page... but use SSI and SMF functions to handle the user functions.

[Kindred]

and yet...

[Arantor]

No, I'm one of the guys who would rather turn jobs down and take no money than do something knowingly unethical.

[Kindred]

And I am one of the SMF team, who does this all for free....

No one is asking for any money at all. We are telling you that what you propose is a severe security situation waiting to happen. I don't care if 10 people are going to access it. We are not going to hand out information on building an insecure project that involves SMF in any way, shape or form. SMF takes its security very seriously (and, as a note, has one of the best security records of any forum software)

[live627]

i just want to merge the freaking login

That should be possible for a PHP developer who has used CI to create a website. Why haven't you dug down into SMF's integration hooks yet??

[Arantor]

As he said, this is his first CI project too. So he's taking two things of complexity, trying to smash them together and no-one will help him any further because he already has a catastrophically insecure setup that relies solely on PHPSESSID cookies and that to tie that to SMF would compromise SMF's security - which as an admin is a big deal (since that would give you access to things like the package manager or installing a theme, whereupon all kinds of malicious code can be added)

[live627]

I gather that his setup allows for hijacking the session?

[Arantor]

Yes, yes it does, as mentioned by Dragooon.

And the fact that it's fundamentally vulnerable to session fixation (which SMF's set up is not)

It's not even following the GOLDEN rule of dealing with sessions as laid down by Zend and is even pretty much guaranteed to come up every Zend exam, relating to session_regenerate_id()...