SMF integration help

[henryford]

Orstio, you are right. I am using the integrate_verify_user hook so once i log into CMS i am getting logged into SMF showing same user name on the forum as on the CMS. So till that stage it is fine. However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS.  i cannot handle the loss of session data problem due to SMF trying to prevent session fixation. so i was thinking if i need some other strategy to overcome the session data problem. Felt that te answer might be in the two suggestions you had that i copy pasted.

my CMS+SMF works great in IE but gets into trouble in FF.

[danp_canucks]

One thing that you can do is reload your SESSION state by reading the SMF's cookie after the login takes place.  You can get the following info out of the COOKIE

Code Select Expand



//SMF_COOKIE is the name of the cookie that's set by SMF you set the name in //the settings.php file

$data=unserialize($_COOKIE['SMF_COOKE']);


          $ID_MEMBER=$data[0];
         
          $pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,

//         $data[2] is the the cookie time

/ /        $data[3] is the cookie state




I'm not sure which SMF functions call for the reset of the SESSION_ID, but you could reload the CMS SESSION state by using the function provided below in the SMF integration hooks, or you can reload the CMS SESSION when a person leaves the forum using the same function.  Here is some pseudo-code for what that function might look like:

cms_some_page.php

Code Select Expand



<?

function loadCmsState(){

  if(isset($_SESSION['cmsData']))
         return;

  if(isset($_COOKIE['SMF_COOKIE'])){

      $data=unserialize($_COOKIE['SMF_COOKE']);


       $ID_MEMBER=$data[0];
         
       $pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,

      //SET CMS SESSION DATA USING the information from $data

       return true;




  }

   return false


}


$loginState=loadCmsState();

//CMS CODE
............................

?>



[henryford]

Thanks Canucks

So i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
    At end of step 2 your SMF cookie is set.
3. On the SMF index.php page, add the extra code to get $ID_MEMBER.
   You can get $ID_MEMBER from the SMF cookie now
                                  OR
   You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user

If the $ID_MEMBER is available at the start of index.php of SMF everything should work as desired.

2 Questions

(a) Is there a bridge to log user in once they have logged into CMS ? or you have to use the index.php?action=login2  in a header location ?

(b) How to kill the SMF cookie when user is logging OFF from CMS.

As Orstio said, I think the javascript code is indeed a breach of security. We dont want someone to get into administrator access of the forum.

[henryford]

Can an SMF cookie be generated for a given username ? Then i can just generate an SMF cookie from the CMS login page using the member_name (member_name is unique and is the same in the CMS member table and SMF member table) without really logging the user in SMF. I can destroy this cookie from the CMS logout page. 

[Orstio]

What is your setting for local storage of cookies?  Subdomain independent cookies?

So i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
    At end of step 2 your SMF cookie is set.
3. On the SMF index.php page, add the extra code to get $ID_MEMBER.
   You can get $ID_MEMBER from the SMF cookie now
                                  OR
   You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user

Your logic here is flawed.

It's more like this:

1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
    At end of step 2 your SMF cookie is set.
                                  OR
   You can get $ID_MEMBER by using CMS SESSION['user_name'] and calling integrate_verify_user

I don't understand why you think you need to write code for SMF to get information from SMF's cookie.  SMF does that all on its own.

[henryford]

Orstio

These are my settings -
Enable local storage of cookies - Yes
Use subdomain independent cookies - No

I think i am unable to communicate properly here. I am logging through CMS. So SMF cannot create cookie on its own till i also log in to SMF somehow. Right ?

Actually i even tried to set a cookie after logging in to my CMS
setcookie("RSAMF", $result_username, time()+3600);

Then in SMF's index.php file i tried

if(isset($_COOKIE['RSAMF']))
{
$MEMBER_NAME=$_COOKIE['RSAMF'];
$_SESSION['user_name'] = $MEMBER_NAME;
}

if($_SESSION['user_name'] != NULL)
{

   define('SMF_INTEGRATION_SETTINGS', serialize(array(
      'integrate_verify_user' => 'integrate_verify_user',
   )));

......... (same as before)


This time again, when i click on a board or topic, the cookie data is also not visible ! I tried with echo $MEMBER_NAME.

[henryford]

I think i see what you mean now. So it will be enough to somehow log into SMF after user has logged into CMS. (I will need help for this)

The SMF will itself try to find user data from cookie even i do not explicitly add anything on SMF's index.php

That means i dont even need to add the integrate_verify_user hook at the start of SMF's index.php (I register users into SMF automatically once they register into CMS)

Right ?

So then, i will need to write the code to login into SMF after the user logs into CMS. You have to point me in some direction as to how to do this >

[Orstio]

When using any form of integration local cookies should always be off.  I think the term "local" in this case can be misinterpreted -- It means the cookies are stored on the server where SMF resides, not on the user's computer.

You might also need to turn on subdomain independent cookies.  THis depends greatly on the server.

[Orstio]

The SMF will itself try to find user data from cookie even i do not explicitly add anything on SMF's index.php

That means i dont even need to add the integrate_verify_user hook at the start of SMF's index.php (I register users into SMF automatically once they register into CMS)

No, you still don't have it.

This is an either-or situation.

You either log the user into your CMS, and then use the integrate_verify_user hook to make SMF simulate being logged in.

OR

You log the user into SMF when they log into the CMS by trying to set the SMF cookie.

OR

You log the user into the CMS when they log into SMF by trying to set the CMS cookie.

Those are three completely different workflows that will not affect each other.

[henryford]

if i have my forum at

mysite.org/smf

that does not mean subdomain right ?

if it were like smf.mysite.org then that would mean subdomain. i am not sure if again it is a loosely used word.

also i have database driven session ON

[Orstio]

You're correct about subdomains, but that doesn't mean that the cookies are going to work right without setting subdomain cookies on.  Sometimes just trying to set the cookie from a directory other than the SMF directory requires subdomain independent cookies are set on.

I suggest you first try to turn off local cookies, and if you still don't have a cookie, then turn on subdomain independent cookies.

[henryford]

Orstio

I am grateful to you for all your inputs and feedback.  I think i am at the edge of solving it, but then again more time i spend more it gets confusing. Following up on your previous post - I am using scenario 1.

"log the user into your CMS, and then use the integrate_verify_user hook to make SMF simulate being logged in"

Now this is good. When i click on 'Forums Tab' i see that i am logged in (Given  i already logged into the CMS)
The problem is i am loosing session data whenever i am clicking on any board topic search etc in the forum. Without session data (i mean $_SESSION['cms_user_name'] i cannot use the integrate_verify_user  hook anymore. At this point i cannot make SMF simulate being logged in any more and i am logged out of the forum.

I am still logged in to the CMS ! And this happens only in Firefox, not in IE.

In IE my session data is always there and i can run integrate_verify_user at the start of the SMF's index.php file making SMF feel that i am logged in.

So I was trying to get a backup redundancy of setting the SMF cookie so that in case i dont have the SESSION data, i can read data off the cookies.

But seems like subdomain's cannot read Cookies that i am creating from the login.php of the CMS.

Cookie created from
www.mysite.org/login.php can be accessed by www.mysite.org/smf but not even by www.mysite.org/smf/index.php which seems slightly weird !

Let me follow your suggestion step by step about the turning OFF and ON the cookie settings and see how that goes.

Thanks again.
HF

[drool]

So i think it works like this.
1. Login to CMS
2. Login to SMF from the CMS login.php code (I mean add some extra code to login to SMF)
    At end of step 2 your SMF cookie is set.

what does this means " At end of step 2 your SMF cookie is set", so by then the cookie is set,

to verify the cookie I  added this (code)

Code Select Expand

f(isset($_COOKIE['SMF_COOKIE'])){

      $data=unserialize($_COOKIE['SMF_COOKE']);


       $ID_MEMBER=$data[0];
         
       $pwHash=$this->$data[1]; //this is sha1(passwd.passwordSalt) from the SMF members table,

      //SET CMS SESSION DATA USING the information from $data

       return true;

before the end of the hook function "integrate_login" to retrieve the cookie

but I can't retrieve the SMF cookie - need help on this one thanks!!!!! 

[Orstio]

A trick I use in some bridges to update the session in the bridged forum is to put this in the CMS after including SSI:

Code Select Expand

$sc = &$context['session_id'];
$_SESSION['USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];

That way, SMF sessions stay uniform throughout the site, and will update the entire site session when the SMF session changes to avoid the session fixation.

Perhaps that will help?

[henryford]

Seems that all my problems were from a missing www in the url string on settings.php

I changed the url in settings.php from http://sitename.com to http://www.sitename.com and everything works perfect now !

Previously, internet explorer was being lenient on my site and allowing the session data to be held across all the pages while firefox was dropping session data whenever anything was clicked inside the forum. Now seems these errors dont occur.

I found this hint on another thread where someone said that she was getting Session time out and someone gave this suggestion of trying to put the www

Thanks Orstio and Canucks for all your help! I should also thank the person who suggested the www thing. Maybe i will modify my posting once i find him

[Orstio]

I changed the url in settings.php from http://sitename.com to http://www.sitename.com and everything works perfect now !

That's just goingto break sessions for those who access your site without the "www".

What you want to do is turn on subdomain independent cookies.

[danp_canucks]

Or set up your server to redirect all relevant incoming traffic to www.yoursite.com [nofollow]

[henryford]

Yes i have turned subdomain independent cookies ON. Thanks guys !

[drool]

Orstio, you are right. I am using the integrate_verify_user hook so once i log into CMS i am getting logged into SMF showing same user name on the forum as on the CMS. So till that stage it is fine. However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS.  i cannot handle the loss of session data problem due to SMF trying to prevent session fixation. so i was thinking if i need some other strategy to overcome the session data problem. Felt that te answer might be in the two suggestions you had that i copy pasted.

my CMS+SMF works great in IE but gets into trouble in FF.

I'm also having the same problem...
"However, if user clicks on some link in the forum now, there is a loss of session data and user is logged out of SMF while he is still logged in the CMS."

Please correct me if I'm wrong...
should I set the cookie first in CMS before going to the SMF???

[henryford]

drool

1. what is your CMS ? (Joomla, Drupal, PhPMotion,..)
2. Where is your SMF ? (www.smf.yoursite.com or www.yoursite.com/smf)
3. What are your settings for the Server Setup in SMF Admin Panel ?
               Local Cookies ?
               Subdomain Independent Cookies ?
4. Also, what is your URL as it appears in the SMF Admin Server Settings page ? (http://yoursite.com or http://www.yoursite.com) ?

* I am assuming you are using the integrate_verify_user hook.

HF