I'm trying to manually set the log in cookie.
I know the
memberName
password / passwordHash (from login form submission)
session_id()
I'm using smf_api.php but it does not work.
Can someone please help
Ok I think I need to clear up my previous post. So here is exactly what I'm trying to do.
On the front end of the site I'm displaying a Login Form. The login form is custom built, with specially setup error messages and display settings depending on the type of user that logs in, this is managed by my CMS. Therefore I cannot use the SSI function to display the login form.
On submission the username password information are currently not hashed, however, I can use a javascript function to hash the password / username / session information to hash the data on submission. I am planning on using the following SHA1 algorithm to perform the hash. The algorithm is featured on:
http://www.movable-type.co.uk/scripts/sha1.html (http://www.movable-type.co.uk/scripts/sha1.html)
I don't know if this algorithm is compatible with the algorithm used by SMF, if it's not, can I use the JS SHA1 algorithm that SMF uses without infringment (this is a commercial product that will be resold)?
I was thinking about having the form submit to "integrate.php?action=login2"
and have the following code on the integrate.php page
FORM PAGE CODE:
<script>
var session=SET SESSION FROM PHP
function validateLogin(){
var uname=$('username').value;
var pass=$('password').value;
$('password').value=(sha1(uname+password+session) //or some other variation;
}
function sha1(msg){
SHA1 FUNCTION FROM http://www.movable-type.co.uk/scripts/sha1.html
}
</script>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="left" valign="top"><table width="296" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="2"><img src="images/join_top.jpg" border="0" usemap="#Map"></td>
</tr>
<tr>
<td width="142"><img src="images/join_bottom_l.jpg" border="0" usemap="#Map2"></td>
<td width="154" align="left" valign="top" background="images/join_bottom_r.jpg">
<table width="100%" border="0" cellspacing="1" cellpadding="1">
<form method="POST" id='loginForm' action="".WEB_ROOT_FRONT."/integrate.php?action=login2" onSubmit="return validateLogin(this);">
<tr>
<td width="74%"><div class="fieldHolder">
<input name="username" id="username" type="text" class="textInput" value="Username" />
</div>
</td>
</tr>
<tr>
<td>
<div class="fieldHolder">
<input name="password" id="password" type="password" class="textInput" value="Password" />
</div>
</td>
</tr>
<tr>
<td align="right"><a href="".WEB_ROOT_BASE_FRONT."/forum/index.php?action=reminder"><font class="ForgotLink">Forgot your password?</font></a> <br>
<a href="javascript: $('loginForm').submit()"><img src="images/login.jpg" width="73" height="23" hspace="10" vspace="5" border=0></a></td>
</tr>
</form>
</table>
</td>
</tr>
</table>
INTEGRATE.PHP CODE
<?
//include CMS settings
require_once("inc/config.php");
//redirect people away from this page as they should not be looking at it directly.
if (basename($_SERVER['PHP_SELF']) == 'integrate.php')
{
header('Location: ' . WEB_ROOT_FRONT);
die;
}
define('SMF_INTEGRATION_SETTINGS', serialize(array(
// 'integrate_reset_pass' => 'reset_pass_function',
// 'integrate_exit' => 'exit_function',
// 'integrate_logout' => 'logout_function',
'integrate_login' => 'CMS_Login'
// 'integrate_validate_login' => 'validate_login_function',
)));
//include SMF settings (I don't think that there is any conflict)
require_once('../forum/SSI.php');
$context['siteurl'] = WEB_ROOT_FRONT;
function CMS_Login($uname, $pass, $time){
//PREFORM CMS LOGIN FUNCTIONALITY HERE
//SET CMS LOGIN FUNCTIONALITY HERE
}
?>
Once this runs I need to redirect the user back to the page on which they tried to log in. This will work for the CMS, and I think that SMF supports the same functionality.
Please let me know if I'm using the integration hooks properly, and if not what can I do to make this happen.
Is there something wrong with what I'm asking, or is this just something that cannot be done. I am really falling behind on this project, and any input would be greatly appreciated.
Thank You
If you want permission to redistribute code, you need to send an email to info at simplemachines.org.
If you are submitting data to SMF's login system, you don't actually need to submit it pre-hashed. It is true that SMF does this natively, but SMF will also understand an unhashed password, and hash it before comparing it to the database value.
You are using the integration hooks correctly, except for the inclusion of SSI.php instead of SMF's index.php. Submitting the login to SSI.php?action=login2 will not give you any results, because SSI has no idea what to do with "action=login2". The array that determines those actions and results is in SMF's index.php.
Thank You Orstio, I appreciate the response.
However, I don't want the user to be redirected to SMF upon login into the CMS, all I want to do is set the login cookie and authenticate the user with SMF so that if they decide to go to the SMF section on the site at some point during their visot they will not be asked to log in again.
Is this functionality supported by SSI, or do I need to use the API.
I am having problems with the call to integrate.php?action=login2. It seems that after the form is submitted I get redirected to "forum/index.php" and my CMS login function does not get called. However, I do get logged into SMF properly.
Here is the code for integrate.php:
require_once("myCMS/inc/config.php");
define('SMF_INTEGRATION_SETTINGS', serialize(array(
// 'integrate_reset_pass' => 'reset_pass_function',
// 'integrate_exit' => 'exit_function',
// 'integrate_logout' => 'logout_function',
'integrate_login' => 'myCMSLogin'
// 'integrate_validate_login' => 'validate_login_function',
)));
function myCMSLogin($uname, $pass, $time){
$array=array("user"=>$uname, "passwrd"=>$pass);
$Controller=new myCMSControllerMain(false);
$result=$Controller->doAction( array('module'=>'members', 'object'=>'membersModule', "action"=>'checkUserLogin'), $array );
}
require_once('forum/index.php');
//redirect people away from this page as they should not be looking at it.
/*
if (basename($_SERVER['PHP_SELF']) == 'home.html')
{
header('Location: ' . $siteurl);
die;
}
*/
please tell me what I'm doing wrong
Is there anything in your error log? It looks like SMF is exiting instead of returning, which would be normal behaviour if there was an error.
Orstio, Thank You again for your reply. You are absoutely correct, I had an error in my CMS login function that was messing everything up. I can't thank You enough for trying to help me, this is greatly appreciated. I will definetly stick around these boards in the future and try to help out whomever I can with my limited knowledge.
However there is still a problem.
I modified the code on "index.php" of the forum to be as follows to fix the previous error. I decided to embed the integration code directly on SMF's index.php page, instead of using the integrate.php page.
forum/index.php
define('SMF_INTEGRATION_SETTINGS', serialize(array(
// 'integrate_reset_pass' => 'reset_pass_function',
// 'integrate_exit' => 'exit_function',
// 'integrate_logout' => 'logout_function',
'integrate_login' => 'myCMSLogin'
// 'integrate_validate_login' => 'validate_login_function',
)));
function myCMSLogin($uname, $pass, $time){
$array=array("username"=>$uname, "password"=>$pass);
require("../inc/config.php");
$Controller=new myCMSControllerMain(false);
//where to redirect after login
$_SESSION['login_url']=WEB_ROOT_BASE_FRONT."/home.html";
return $result=$Controller->doAction( array('module'=>'members', 'object'=>'membersModule', "action"=>'setUserSessionData'), $array );
}
The problem is that the login function for my CMS sets up some $_SESSION variables. What happens when the login2() function for SMF runs, it changes the $_SESSION id, and all the session variables set up by the CMS login function are no longer visible. Whats even worse is the fact the the session id gets changed after the integration hook runs, so I have no way to copy my session variables to the new session id, and the CMS login data is lost.
Because of this I think I will have to change the validation on myCMS to use the cookie that is set by SMF to set the session variables. I hope I'm wrong on this and there is some way to merge the old session and the new one, but in case I'm right here is another solution. Unfortunately I need help with this one too.
Here is the code that I'm planning to use to authenticate the access levels for the user once they are authenticated by SMF and the cookie is set.
$result=$Controller->doAction( array('module'=>'members', 'object'=>'membersModule', "action"=>'setUserSessionData2'), false );
function setUserSessionData2(){
if(isset($_COOKIE['SMF_COOKE'])){
//get Data From Cookie
$data=unserialize($_COOKIE['SMF_COOKE']);
$ID_MEMBER=$data[0];
//THS IS WHERE I NEED HELP I NEED TO SET $pwHash=SMF password field
$pwHash=getPW($data[1]);
//note cms_members is the SMF members table with several added fields
$sql="SELECT some data .......... FROM
cms_members cm
INNER JOIN
cms_access_tbl cat
ON cm.ID_MEMBER=cat.ID_MEMBER
WHERE cm.MEMBER_ID='".$ID_MEMBER."' AND passwd='".$pwHash."'";
$result=dbQuery($sql);
if(dbNumRows($result)){
//DO CMS LOGIN STUFF
}
else{
return false;
}
}
else{
return false;
}
}
//This function will take the cookie data and make it equal to the password hash
//that's in the database.
//I need some help with this one
function getPW($pwHash){
//PLEASE HELP HERE
$hash=do some stuff to $pwHash
return $hash
}
QuoteThe problem is that the login function for my CMS sets up some $_SESSION variables. What happens when the login2() function for SMF runs, it changes the $_SESSION id, and all the session variables set up by the CMS login function are no longer visible. Whats even worse is the fact the the session id gets changed after the integration hook runs, so I have no way to copy my session variables to the new session id, and the CMS login data is lost.
That's not the whole picture. SMF cleans the current session, and replaces it with a SMF-only session in order to counter a possible PHP session fixation exploit. This happens on login, and I believe after every post.
If your CMS relies on session data, the trick is to write that data to SMF's session AFTER the login.
Or....
Force SMF to use your CMS login.
Check the integrate_verify_user hook to find out how that works. With this hook, you can get SMF to validate against an alternative authentication, like a cookie from your CMS.
Orstio, once again Thank You for the reply.
You have confirmed my suspicions, that I will need set up the CMS login session outside of the integration hook. (It would be nice if SMF ran the integration hook after the new session_id was assigned so that it could be used to set up CMS session vars.
But I think I understand the reasons for not doing so. Thus I will continue with the solution I planned out in the above post. Where the SESSION is checked or set on every page of the CMS.
I will set the CMS session from the cookie that was set by SMF upon login.
Here is the code that I'm using
public function setUserSessionData2(){
if(isset($_SESSION['member']) && count $_SESSION['member'])
return true;
if(isset($_COOKIE['SMF_COOKE'])){
//get Data From Cookie that was set by SMF upon login
$data=unserialize($_COOKIE['SMF_COOKE']);
$ID_MEMBER=$data[0];
$pwHash=$this->$data[1];
//note cms_members is the SMF members table with several added fields
$sql="SELECT ku.*, kg.groupName as kapelleGroupName
FROM
kapelle_users ku
INNER JOIN
kapelle_group_tbl kg
ON
ku.kapelleGroupID=kg.groupID
WHERE
MEMBER_ID='".$ID_MEMBER."' LIMIT 1";
$result=dbQuery($sql);
if(dbNumRows($result)){
$row=dbFetchAssoc($row)
//Check if the hash from the Database is equal to the Cookie Hash set by SMF
if(sha1($row['passwd'] . $row['passwordSalt'])==$pwHash){
//set CMS session vars
$_SESSION['var']=$row['var'];
$_SESSION['var']=$row['var'];
$_SESSION['var']=$row['var'];
................................................
return true;
}
else{
return false;
}
}
else{
return false;
}
}
else{
return false;
}
}
I'm assuming the following
$data=unserialize($_COOKIE['SMF_COOKIE'])
$pwhash=$data[1];
$SMFHash=sha1(passwd.passwordSalt) from the SMF members table
if($pwhash==$SMFHash) //This is the Assumption about how the Cookie is set.
return true
else
return false // authentication failed
I have not tested this solution yet, but I'm hopeful that it will work. Please let me know if I'm way off base somewhere. I will post the results of this once I test.
Once again Thank You for helping me on this, I might still be able to save my behind on this project :)
Ok. The above described method works pretty well. The only think I would like to change if possible
On the Login page if the user enters a wrong password they are taken to SMF's login error page. What I would like is for them to be redirected to the page from which they made the submission.
Please tell me if this is possible
I wouldn't even bother authenticating in SMF. Seems redundant to authenticate in both, no?
define('SMF_INTEGRATION_SETTINGS', serialize(array(
// 'integrate_verify_user' => 'CMS_verify_user',
)));
function CMS_verify_user ()
{
$ID_MEMBER = (int) $_SESSION['ID_MEMBER'];
return $ID_MEMBER;
}
That's very true. The reason why I wanted to use SMF's authentication is because it appears to be far more robust and secure then then authentication procedures that I wrote for my CMS. Although for some Login Forms used throught the CMS driven site I will definetly use the hook you just provided me with, and forgo the SMF authentication. I think for the majority of the login forms I would like to use SMF's authentication procedures with the integration hooks that we outlined above, even though the authentication is a bit repetitive, as they seem to be very secure.
I'm back on track with this project :) I was not at all expecting the level of support that I received on this issue. The help that was offered was precise, informative, and extremely helpful. I was quite hesitant to use SMF at the beginning of the project as I had never used it before, but the client insisted. I would like to say that because of the support and the features offered by SMF, it will become "the" forum application I use in my future development ventures.
Thank You
Orstio and Canucks
Why not handle the session data loss issue using a javascript code.
Look here - http://www.thomasfrank.se/sessionvars.html
Seems like a quick fix to all these data loss issue. In my case, i loose data from session only when i am using Firefox. In IE the CMS+SMF works like a charm with no loss in any session data.
hiii
i read and read and red but i cant understadn how to integrate in to my own app
i am develop in codecharge studio... theres no problem using the member table form SMF .. with my own apps .... my problem is when i want to make a record to my db .. i want to get the MEMBER_ID from SMF to record in to my own app
i have a table of user in my db using id_socio as key
i want to log in using SMF to get the user logged .. when the user make a record to my app get the MEMEBERID form smf ..
how can i do this??
or is very simple to make the bridge ??
thanks
Quote from: henryford on July 12, 2008, 01:59:12 PM
Orstio and Canucks
Why not handle the session data loss issue using a javascript code.
Look here - http://www.thomasfrank.se/sessionvars.html
Seems like a quick fix to all these data loss issue. In my case, i loose data from session only when i am using Firefox. In IE the CMS+SMF works like a charm with no loss in any session data.
I wouldn't refer to the destruction of the session on login as "loss". SMF purposely deletes the session information in order to make sure that there is no session fixation. If you have modified this somehow so that there is session fixation, then you have opened a security hole in your forum.
It is however strange that SESSION data is lost only in Firefox and not in IE (an Crazy Browser) !
I have smf at www.mysite.org/smf
My Integration is like this . (I have renamed SMF's index.php into index.inc.php) and i am using a index.php file that looks like this : ($_SESSION['user_name'] is populated at the previous CMS login screen)
<?php
include($_SERVER['DOCUMENT_ROOT'] ."/classes/sessions.php");
include($_SERVER['DOCUMENT_ROOT'] ."/classes/config.php");
//session_start();
//include($_SERVER['DOCUMENT_ROOT'] ."/classes/login_check.php");
include($_SERVER['DOCUMENT_ROOT'] ."/classes/menu.php");
if($_SESSION['user_name'] != NULL)
{
define('SMF_INTEGRATION_SETTINGS', serialize(array(
'integrate_verify_user' => 'integrate_verify_user',
)));
function integrate_verify_user () {
global $db_name, $db_prefix, $sql, $userdata;
$query = mysql_query("SELECT ID_MEMBER FROM {$db_prefix}members WHERE memberName = '$_SESSION[user_name]'");
if (!(list($ID_MEMBER) = mysql_fetch_row($query))) {
mysql_query("INSERT INTO {$db_prefix}members
(memberName, realName, passwd, emailAddress, dateRegistered, ID_POST_GROUP, lngfile, buddy_list, pm_ignore_list, messageLabels, personalText, websiteTitle, websiteUrl, location, ICQ, MSN, hideEmail, signature, avatar, usertitle, memberIP, memberIP2, secretQuestion, additionalGroups)
VALUES ('$userdata[username]', '$userdata[forum_name]', '$userdata[password]', '$userdata[email]', ".time().", '4', '', '', '', '', '', '', '', '', '', '', '1', '', '', '', '', '', '', '')");
$ID_MEMBER = mysql_insert_id();
}
return $ID_MEMBER;
}
# Include the original index.php
include($_SERVER['DOCUMENT_ROOT'] . "/smf/index.inc.php");
}
else
{
# Include the original index.php
include($_SERVER['DOCUMENT_ROOT'] . "/smf/index.inc.php");
}
?>
This works pretty well (both in FF and IE) and when you go from CMS to SMF, user looks logged in.
The moment you click on anything in the forum (in FF ONLY. IE is fine) , Member is logged out from Forum ! He still is logged into the CMS part.
Orstio,
Do you mean that just after the integrate_verify_user hook, we should use populate SMF session variable for member id with $ID_MEMBER ?
How do you do that and what is the name of the SMF Session variable ?
I think i am at a loss here. How do you populate the SMF Session variables with some data so that although SMF will not allow session fixation, session values will still be available.
Thanks
HF
The session destruction is done on certain events, like logging into SMF or posting a message.
The integrate_verify_user hook is done on each and every page load, so is not related at all to the session destruction.
What I am saying is that if somebody logs into SMF using the SMF login (not the integrate_verify_user hook), then their session will be destroyed and recreated, which results in non-SMF session info getting destroyed (not lost, but purposely deleted).
Quote from: Orstio on July 11, 2008, 11:56:31 PM
QuoteThe problem is that the login function for my CMS sets up some $_SESSION variables. What happens when the login2() function for SMF runs, it changes the $_SESSION id, and all the session variables set up by the CMS login function are no longer visible. Whats even worse is the fact the the session id gets changed after the integration hook runs, so I have no way to copy my session variables to the new session id, and the CMS login data is lost.
That's not the whole picture. SMF cleans the current session, and replaces it with a SMF-only session in order to counter a possible PHP session fixation exploit. This happens on login, and I believe after every post.
If your CMS relies on session data, the trick is to write that data to SMF's session AFTER the login.
Or....
Force SMF to use your CMS login.
Check the integrate_verify_user hook to find out how that works. With this hook, you can get SMF to validate against an alternative authentication, like a cookie from your CMS.
Could you elaborate a bit on the following two aspects of your suggestion
If your CMS relies on session data, the trick is to write that data to SMF's session AFTER the login.
Or....
Force SMF to use your CMS login.
How do i write data to SMF's session after the login. Could you point me towards the required hook ?
Your advice is always greatly appreciated.
HF
QuoteHow do i write data to SMF's session after the login. Could you point me towards the required hook ?
I thought you were using the integrate_verify_user hook?
Orstio, you are right. I am using the integrate_verify_user hook so once i log into CMS i am getting logged into SMF showing same user name on the forum as on the CMS. So till that stage it is fine. However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS. i cannot handle the loss of session data problem due to SMF trying to prevent session fixation. so i was thinking if i need some other strategy to overcome the session data problem. Felt that te answer might be in the two suggestions you had that i copy pasted.
my CMS+SMF works great in IE but gets into trouble in FF.
One thing that you can do is reload your SESSION state by reading the SMF's cookie after the login takes place. You can get the following info out of the COOKIE
//SMF_COOKIE is the name of the cookie that's set by SMF you set the name in //the settings.php file
$data=unserialize($_COOKIE['SMF_COOKE']);
$ID_MEMBER=$data[0];
$pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,
// $data[2] is the the cookie time
/ / $data[3] is the cookie state
I'm not sure which SMF functions call for the reset of the SESSION_ID, but you could reload the CMS SESSION state by using the function provided below in the SMF integration hooks, or you can reload the CMS SESSION when a person leaves the forum using the same function. Here is some pseudo-code for what that function might look like:
cms_some_page.php
<?
function loadCmsState(){
if(isset($_SESSION['cmsData']))
return;
if(isset($_COOKIE['SMF_COOKIE'])){
$data=unserialize($_COOKIE['SMF_COOKE']);
$ID_MEMBER=$data[0];
$pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,
//SET CMS SESSION DATA USING the information from $data
return true;
}
return false
}
$loginState=loadCmsState();
//CMS CODE
............................
?>
Thanks Canucks
So i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
At end of step 2 your SMF cookie is set.
3. On the SMF index.php page, add the extra code to get $ID_MEMBER.
You can get $ID_MEMBER from the SMF cookie now
OR
You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user
If the $ID_MEMBER is available at the start of index.php of SMF everything should work as desired.
2 Questions
(a) Is there a bridge to log user in once they have logged into CMS ? or you have to use the index.php?action=login2 in a header location ?
(b) How to kill the SMF cookie when user is logging OFF from CMS.
As Orstio said, I think the javascript code is indeed a breach of security. We dont want someone to get into administrator access of the forum.
Can an SMF cookie be generated for a given username ? Then i can just generate an SMF cookie from the CMS login page using the member_name (member_name is unique and is the same in the CMS member table and SMF member table) without really logging the user in SMF. I can destroy this cookie from the CMS logout page.
What is your setting for local storage of cookies? Subdomain independent cookies?
QuoteSo i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
At end of step 2 your SMF cookie is set.
3. On the SMF index.php page, add the extra code to get $ID_MEMBER.
You can get $ID_MEMBER from the SMF cookie now
OR
You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user
Your logic here is flawed.
It's more like this:
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
At end of step 2 your SMF cookie is set.
OR
You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user
I don't understand why you think you need to write code for SMF to get information from SMF's cookie. SMF does that all on its own.
Orstio
These are my settings -
Enable local storage of cookies - Yes
Use subdomain independent cookies - No
I think i am unable to communicate properly here. I am logging through CMS. So SMF cannot create cookie on its own till i also log in to SMF somehow. Right ?
Actually i even tried to set a cookie after logging in to my CMS
setcookie("RSAMF", $result_username, time()+3600);
Then in SMF's index.php file i tried
if(isset($_COOKIE['RSAMF']))
{
$MEMBER_NAME=$_COOKIE['RSAMF'];
$_SESSION['user_name'] = $MEMBER_NAME;
}
if($_SESSION['user_name'] != NULL)
{
define('SMF_INTEGRATION_SETTINGS', serialize(array(
'integrate_verify_user' => 'integrate_verify_user',
)));
......... (same as before)
This time again, when i click on a board or topic, the cookie data is also not visible ! I tried with echo $MEMBER_NAME.
I think i see what you mean now. So it will be enough to somehow log into SMF after user has logged into CMS. (I will need help for this)
The SMF will itself try to find user data from cookie even i do not explicitly add anything on SMF's index.php
That means i dont even need to add the integrate_verify_user hook at the start of SMF's index.php (I register users into SMF automatically once they register into CMS)
Right ?
So then, i will need to write the code to login into SMF after the user logs into CMS. You have to point me in some direction as to how to do this >
When using any form of integration local cookies should always be off. I think the term "local" in this case can be misinterpreted -- It means the cookies are stored on the server where SMF resides, not on the user's computer.
You might also need to turn on subdomain independent cookies. THis depends greatly on the server.
QuoteThe SMF will itself try to find user data from cookie even i do not explicitly add anything on SMF's index.php
That means i dont even need to add the integrate_verify_user hook at the start of SMF's index.php (I register users into SMF automatically once they register into CMS)
No, you still don't have it.
This is an either-or situation.
You either log the user into your CMS, and then use the integrate_verify_user hook to make SMF simulate being logged in.
OR
You log the user into SMF when they log into the CMS by trying to set the SMF cookie.
OR
You log the user into the CMS when they log into SMF by trying to set the CMS cookie.
Those are three completely different workflows that will not affect each other.
if i have my forum at
mysite.org/smf
that does not mean subdomain right ?
if it were like smf.mysite.org then that would mean subdomain. i am not sure if again it is a loosely used word.
also i have database driven session ON
You're correct about subdomains, but that doesn't mean that the cookies are going to work right without setting subdomain cookies on. Sometimes just trying to set the cookie from a directory other than the SMF directory requires subdomain independent cookies are set on.
I suggest you first try to turn off local cookies, and if you still don't have a cookie, then turn on subdomain independent cookies.
Orstio
I am grateful to you for all your inputs and feedback. I think i am at the edge of solving it, but then again more time i spend more it gets confusing. Following up on your previous post - I am using scenario 1.
"log the user into your CMS, and then use the integrate_verify_user hook to make SMF simulate being logged in"
Now this is good. When i click on 'Forums Tab' i see that i am logged in (Given i already logged into the CMS)
The problem is i am loosing session data whenever i am clicking on any board topic search etc in the forum. Without session data (i mean $_SESSION['cms_user_name'] i cannot use the integrate_verify_user hook anymore. At this point i cannot make SMF simulate being logged in any more and i am logged out of the forum.
I am still logged in to the CMS ! And this happens only in Firefox, not in IE.
In IE my session data is always there and i can run integrate_verify_user at the start of the SMF's index.php file making SMF feel that i am logged in.
So I was trying to get a backup redundancy of setting the SMF cookie so that in case i dont have the SESSION data, i can read data off the cookies.
But seems like subdomain's cannot read Cookies that i am creating from the login.php of the CMS.
Cookie created from
www.mysite.org/login.php can be accessed by www.mysite.org/smf but not even by www.mysite.org/smf/index.php which seems slightly weird !
Let me follow your suggestion step by step about the turning OFF and ON the cookie settings and see how that goes.
Thanks again.
HF
QuoteSo i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
At end of step 2 your SMF cookie is set.
what does this means " At end of step 2 your SMF cookie is set", so by then the cookie is set,
to verify the cookie I added this (code)
f(isset($_COOKIE['SMF_COOKIE'])){
$data=unserialize($_COOKIE['SMF_COOKE']);
$ID_MEMBER=$data[0];
$pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,
//SET CMS SESSION DATA USING the information from $data
return true;before the end of the hook function "integrate_login" to retrieve the cookie
but I can't retrieve the SMF cookie - need help on this one thanks!!!!! :)
A trick I use in some bridges to update the session in the bridged forum is to put this in the CMS after including SSI:
$sc = &$context['session_id'];
$_SESSION['USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
That way, SMF sessions stay uniform throughout the site, and will update the entire site session when the SMF session changes to avoid the session fixation.
Perhaps that will help?
Seems that all my problems were from a missing www in the url string on settings.php
I changed the url in settings.php from http://sitename.com to http://www.sitename.com and everything works perfect now !
Previously, internet explorer was being lenient on my site and allowing the session data to be held across all the pages while firefox was dropping session data whenever anything was clicked inside the forum. Now seems these errors dont occur.
I found this hint on another thread where someone said that she was getting Session time out and someone gave this suggestion of trying to put the www
Thanks Orstio and Canucks for all your help! I should also thank the person who suggested the www thing. Maybe i will modify my posting once i find him
QuoteI changed the url in settings.php from http://sitename.com to http://www.sitename.com and everything works perfect now !
That's just goingto break sessions for those who access your site without the "www".
What you want to do is turn on subdomain independent cookies.
Or set up your server to redirect all relevant incoming traffic to www.yoursite.com
Yes i have turned subdomain independent cookies ON. Thanks guys !
Quote from: henryford on July 12, 2008, 08:44:55 PM
Orstio, you are right. I am using the integrate_verify_user hook so once i log into CMS i am getting logged into SMF showing same user name on the forum as on the CMS. So till that stage it is fine. However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS. i cannot handle the loss of session data problem due to SMF trying to prevent session fixation. so i was thinking if i need some other strategy to overcome the session data problem. Felt that te answer might be in the two suggestions you had that i copy pasted.
my CMS+SMF works great in IE but gets into trouble in FF.
I'm also having the same problem...
"However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS."
Please correct me if I'm wrong...
should I set the cookie first in CMS before going to the SMF???
drool
1. what is your CMS ? (Joomla, Drupal, PhPMotion,..)
2. Where is your SMF ? (www.smf.yoursite.com or www.yoursite.com/smf)
3. What are your settings for the Server Setup in SMF Admin Panel ?
Local Cookies ?
Subdomain Independent Cookies ?
4. Also, what is your URL as it appears in the SMF Admin Server Settings page ? (http://yoursite.com or http://www.yoursite.com) ?
* I am assuming you are using the integrate_verify_user hook.
HF