Inline SSI login

revgreed · June 25, 2023, 02:21:16 AM

I am making a web page which includes SMF's SSI. More specifically, a page that has an inline login at the top of the page with restricted content for logged on users below the login. And that after login, then it stays on the current page. Here's my entire code for this:

Code Select

<?php
require_once('/var/www/html/community/SSI.php');
?>

<!DOCTYPE html>
<html>
<head>
    <title>Login</title>
	<style>
		body {
			margin: 0;
			padding: 0;
		}
		.top-frame {
			position: fixed;
			top: 0;
			left: 0;
			width: 100%;
			height: 15%;
			background-color: #f1f1f1;
			z-index: 9999;
			overflow: hidden;
			display: flex;
			align-items: center;
		}
		.login-form {
			display: flex;
			align-items: center;
			margin-left: auto;
			margin-right: 20px;
		}
		.login-form label {
			margin-right: 5px;
		}
		.login-form input {
			margin-right: 10px;
		}
		.blocked-content {
			margin-top: 15%;
			padding: 20px;
		}
	</style>
</head>
<body>
	<div class="top-frame">
		<?php
		$cur_link = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[PHP_SELF]";

		global $context, $txt;

		if ($context['user']['is_logged'])
			ssi_welcome();
		else {
			ssi_login($cur_link, 'block');

			echo '
				<div id="login_form" class="login-form">
					<form action="', $scripturl, '?action=login2" method="post" accept-charset="', $context['character_set'], '">
						<label for="user">', $txt['username'], ':</label>
						<input type="text" id="user" name="user" size="9" value="', $user_info['username'], '" class="input_text" />
						<label for="passwrd">', $txt['password'], ':</label>
						<input type="password" name="passwrd" id="passwrd" size="9" class="input_password" />
						<input type="hidden" name="cookielength" value="-1" />
						<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
						<input type="submit" value="', $txt['login'], '" class="button_submit" />
					</form>
				</div>';
		}
		?>
	</div>

    <?php

if ($context['user']['is_logged']) 
echo '
        <div>
	<div class="blocked-content">
		
		<p>This is the blocked content that only logged-in users can see.</p>
	</div>
    </div>';
    ?>
</body>
</html>

Although the code displays an inline login correctly - upon attempting to login - it throws the error:

QuoteToken verification failed. Please go back and try again.

And Inspect > Console throws a 403 (Forbidden) error.

Furthermore, when logged into the forum via the forum itself, then when I go back to my custom page it is not displaying ssi_welcome() - it only displays the Username and Passwords fields. Even the restricted area doesn't become visible when logged into the forum via the forum:

Code Select

<?php

if ($context['user']['is_logged']) 
echo '
        <div>
	<div class="blocked-content">
		
		<p>This is the blocked content that only logged-in users can see.</p>
	</div>
    </div>';
    ?>

What I've tried:

1. Open and close the browser.
2. Multiple browsers.
3. Clearing cache.
4. Incognito mode.
5. Changed cookie names in Admin > Maintenance > Server Settings > Cookies and Sessions

You cannot view this attachment.

I'm just not sure what I'm overlooking, or if I am doing this correctly in general. Can someone take a glance to see what I'm doing wrong here? I just can't seem to figure it out. Thank you in advance.

I'm using:

SMF 2.1.4
PHP 8.1.2
mysql Ver 15.1 Distrib 10.6.12-MariaDB

Kindred · June 25, 2023, 05:56:18 AM

Where is that custom page located as compared to ssi.php?

revgreed · June 25, 2023, 12:30:44 PM

Quote from: Kindred on June 25, 2023, 05:56:18 AMWhere is that custom page located as compared to ssi.php?

Its location is as follows: https://mywebsite.com/event/custom_page.php

revgreed · June 25, 2023, 02:49:55 PM

Just some additional information:

As you can see, my SSI.php is located here:

/var/www/html/community/SSI.php

And if I place my 'custom_page.php' in the /community directory, & try to login, then it still throws the error:

QuoteToken verification failed. Please go back and try again.

However, if I login via the forum, then go to my 'custom_page.php' - it will display ssi_welcome() and the restricted content as it should.

Kindred · June 25, 2023, 08:58:59 PM

Turn on subdomain independent cookies
Turn off local cookies

revgreed · June 26, 2023, 12:51:07 AM

Okay, turned off local cookies, then I turned on subdomain independent cookies. I entered my 'Main domain used for subdomain independent cookies' in the appropriate field. Cleared cache/cookies.

I'm still getting the same error when trying to login from my custom_page.php regardless where the file is located.

Kindred · June 26, 2023, 10:22:09 AM

Can you try just using "echo" for the ssi definition instead of "block" and using you own form?

See if that works first

revgreed · June 26, 2023, 01:53:46 PM

I changed the definition to just 'echo' and used my own form - it's throwing the same error.

Kindred · June 27, 2023, 10:53:32 AM

sorry, confusion of the english language...

disable your form.
use echo (which uses the internal form, defined in SSI)

I want to confirm that the problem is with the application of the login, not the custom form that you built.

revgreed · June 27, 2023, 03:05:39 PM

Ah, I believe I understand now.

I disabled my form, used 'echo' instead of 'block'.

It displayed the normal internal form - I used it to login and it worked.

Kindred · June 27, 2023, 04:30:00 PM

Thank you.

So, that confirms that the problem is in the custom code that you have for your login form... so now we know that we have to debug THAT rather than core SMF code.

revgreed · June 27, 2023, 05:11:29 PM

Good deal!

Thank you for getting me to this spot, and ruling out core SMF. I just can't seem for the life of me in figuring out what I'm doing wrong. I genuinely appreciate your help with this.

revgreed · July 01, 2023, 01:48:18 PM

I finally figured out what I was doing wrong pertaining to my custom login.

I needed to add the following to the form:

Code Select

<input type="hidden" name="', $context['login_token_var'], '" value="', $context['login_token'], '">
TO MAKE:

Code Select

<?php
		$cur_link = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[PHP_SELF]";

		global $context, $txt;

		if ($context['user']['is_logged'])
			ssi_welcome();
		else {
			ssi_login($cur_link, 'block');

			echo '
				<div id="login_form" class="login-form">
					<form action="', $scripturl, '?action=login2" method="post" accept-charset="', $context['character_set'], '">
						<label for="user">', $txt['username'], ':</label>
						<input type="text" id="user" name="user" size="9" value="', $user_info['username'], '" class="input_text" />
						<label for="passwrd">', $txt['password'], ':</label>
						<input type="password" name="passwrd" id="passwrd" size="9" class="input_password" />
						<input type="hidden" name="cookielength" value="-1" />
						<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />
                                                <input type="hidden" name="', $context['login_token_var'], '" value="', $context['login_token'], '">
						<input type="submit" value="', $txt['login'], '" class="button_submit" />
					</form>
				</div>';
		}
		?>
	</div>

    <?php

This will produce an inline SSI login which stays on the page when you login:

You cannot view this attachment.

And of course you can style the form with CSS however you want.

News:

Inline SSI login