SSI Sessions help

picos · December 15, 2009, 08:27:06 PM

Hi folks, I need some help...

I'm integrating SMF in to a CMS that uses SESSIONS and I think it's messing up the SSI data. The logout session_id for example is showing different numbers from the logout link on the forum itself. I assume it's because the CMS is using session_start() and messing that up.

Anyway, can you create custom SESSION variables that will be transmitted through the SSI so I can securely set the logout data within the CMS rather than relying on the SMF method?

I test things by putting the session logout info in to a cookie and linked the cookie info to a hyperlink and it's allowed me to logout successfully. So I need another method to pass the logout info correctly otherwise I get 'Session verification failed' error.

Or could someone tell me how I use the session data stored in the database table itself. I see the correct set of numbers there but I don't know how to select a specific piece of the code from the table to make my own query for the session_id.

I have read and tried many methods on the forum but it's not working for me due to the usage of session_start in the CMS.

Thanks

picos · December 16, 2009, 07:24:24 AM

Anyone able to offer some advice?

Arantor · December 16, 2009, 07:43:27 AM

That's because the raw session ID isn't pushed into the logout link.

Might help if you provided a few more details about what you're trying to achieve.

In any case, I'll move this to the board dedicated to such things.

Andre N · December 16, 2009, 08:15:37 AM

you're trying to log out of smf through the CMS?

picos · December 16, 2009, 09:32:51 AM

Yes I want to create a logout button on my website rather than the forum. I am using SSI on my site and that is working great but the logout button does not have the correct session id code so it errors when I click logout. From what I have read, it's probably the session_start of the CMS that is conflicting with the SSI session_id.

I just want a simple button to logout of my website as the forum is obviously separate. I already have my cms and forum interacting but the logout is causing me a small headache.

Arantor · December 16, 2009, 09:35:37 AM

The logout session link information can be made available from $context variables, though note that ssi_logout will even build the link for you.

picos · December 16, 2009, 09:53:52 AM

Yes I have tried $context variables and the SSI options and both give the wrong session_id.

Arantor · December 16, 2009, 09:54:11 AM

What options did you use?

Did you use ssi_logout() ?

picos · December 27, 2009, 08:42:20 AM

Sorry for the late reply. Yes I have tried ssi_logout() but again I get the session error.

Arantor · December 27, 2009, 08:44:58 AM

So, what exactly does the link look like? What does it contain? (Note, the moment you successfully log out, the session id is invalid, so generate the link that ssi_logout gives you, the one the forum gives you, then log out, and post both here)

Andre N · December 28, 2009, 07:35:51 PM

I use the following code with the API and it works to log out a user/admin from SMF:

Code Select


function smf_logOut($email)
{
    global $smf_connection, $smf_settings, $smf_user_info;
	if (!$smf_connection)
		return false;
    //get all their info
	$smf_user_info = smf_getUserInfo($email); 
	$id = $smf_user_info['ID_MEMBER'];
	if ($id !='0')
	    {
		// If you log out, you aren't online anymore :P.
		smf_query("
 	    DELETE FROM $smf_settings[db_prefix]log_online
 	    WHERE ID_MEMBER = '$id'
 	    LIMIT 1", __FILE__, __LINE__);
	    }
    //clear session array, overwrite the session cookies and destroy the session
	$_SESSION = array();
    //see if the session cookie exists, get it's params and set an expired cookie in it's place
    if (isset($_COOKIE[session_name()]))
    {
        $params = session_get_cookie_params();
        setcookie($_COOKIE[session_name()], '', time() - 315705600,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]);
    }
    else setcookie($_COOKIE[session_name()],"",time() - 315705600,'/');
    setcookie($smf_settings['cookiename'], "", time() - 315705600,'/');
    @smf_sessionDestroy(session_name());
    @session_destroy();
    //at this point they should be logged out right?
	return true;
}

The code for smf_getUserInfo is:

Code Select


function smf_getUserInfo($email)
{
    if (!isset($email)) return false;	
    global $smf_connection, $smf_settings, $smf_user_info;
    //it will be slashed in the db
    $email = addslashes($email);
    if (!$smf_connection)
	return false;
    //check if that email is in the db first
    if(!smf_query("
	SELECT ID_MEMBER
	FROM $smf_settings[db_prefix]members
	WHERE emailAddress = '$email'
	LIMIT 1", __FILE__, __LINE__))
	    return false;
    //extract the info
    $request = smf_query("
	SELECT *
	FROM $smf_settings[db_prefix]members
	WHERE emailAddress = '$email'
	LIMIT 1", __FILE__, __LINE__);
    if (mysql_num_rows($request) != 0)
    {
        $smf_user_info = mysql_fetch_assoc($request);
        return $smf_user_info;
    }
    else return false;
}

So if you put these two functions in the api, include or require_once the api in your cms, then call the logout function and pass a valid email to it, it should log the user with that email out of SMF

News:

SSI Sessions help