Advertisement:

Author Topic: SMF Cookie Format?  (Read 17625 times)

Offline Mike Bobbitt

  • Full Member
  • ***
  • Posts: 597
    • Army.ca
SMF Cookie Format?
« on: March 16, 2004, 02:23:17 PM »
Hi all,

I'm the author of album.pl, a photo gallery that can be used with SMF (among other forums).

I'd like to be able to read (but not write) SMF cookies for auto-login. Problem is, they're different from what I've seen in the past. Anyone know what the format is?

Looks like it's got the username (escaped somehow?) and then a hashed password, but I can't guess the format of either. Before I go digging in the code, I thought I'd ask here.


Thanks

Offline Grudge

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,742
  • Gender: Male
  • Unofficial nuisance
Re: SMF Cookie Format?
« Reply #1 on: March 16, 2004, 02:39:20 PM »
Hi,

The cookie is set here:
Code: [Select]
setcookie($cookiename, serialize(array($ID_MEMBER, $password)), time() + (60 * $modSettings['cookieTime']), $cookie_url[1], $cookie_url[0], 0);

As you can see it's a serialized version of the ID_MEMBER and the password. The password itself is generated by these two lines:
Code: [Select]
$md5_passwrd = md5_hmac($_REQUEST['passwrd'], strtolower($_REQUEST['user']));
$password = md5_hmac($md5_passwrd, 'ys');

So basically it's double hashed, and uses the username and password entered by the user to generate the "password".

md5_hmac is a custom function used by SMF and is this:
Code: [Select]
// MD5 Encryption.
function md5_hmac($data, $key)
{
if (strlen($key) > 64)
$key = pack('H*', md5($key));
$key  = str_pad($key, 64, chr(0x00));

$k_ipad = $key ^ str_repeat(chr(0x36), 64);
$k_opad = $key ^ str_repeat(chr(0x5c), 64);

return md5($k_opad . pack('H*', md5($k_ipad . $data)));
}

Hope this helps.
I'm only a half geek really...

Offline Mike Bobbitt

  • Full Member
  • ***
  • Posts: 597
    • Army.ca
Re: SMF Cookie Format?
« Reply #2 on: March 16, 2004, 03:35:54 PM »
Thanks, that's exactly the info I was looking for... Appreciate you providing the code sample and the explaination! Looks like I'll have an "SMF compatibile" version shortly...  8)


Cheers

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: SMF Cookie Format?
« Reply #3 on: March 16, 2004, 04:03:07 PM »
Just a warning, not trying to be mean or anything here, but do remember that the code he quoted is *still* under the same license as the other SMF code.

We're looking into the possibility of offering that and other segments in other languages in different licenses.  However, this is important to note if you are using GPL or etc. as your license.

Please contact Jeff Lewis or Joseph Fung - or even me - for more information.

Thanks,
-[Unknown]

Offline Mike Bobbitt

  • Full Member
  • ***
  • Posts: 597
    • Army.ca
Re: SMF Cookie Format?
« Reply #4 on: March 16, 2004, 04:07:48 PM »
Ahhh, thanks for the note... album.pl is actually written in perl, so none of the SMF code will appear in it. In fact, I believe I can do the "double HMAC" bit with builtin packages. It looks identical to the YaBB SE HMAC method, which I've already written in Perl.

Good to know though, as it wouldn't have crossed my mind otherwise.

Thanks again...

Offline Tyris

  • Sophist Member
  • *****
  • Posts: 1,306
  • Gender: Male
    • Shana Project
Re: SMF Cookie Format?
« Reply #5 on: March 16, 2004, 11:59:09 PM »
hmmm... with relevance to [Unknown]'s post... what does this mean for CMS authors...? basically: are we allowed to use that code in any cms's that we write... :S? of not... how much would we be able to 'replicate' or whatever for it to be legal...? and is this the same if the cms is not going to be distributed at all?

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: SMF Cookie Format?
« Reply #6 on: March 17, 2004, 12:06:09 AM »
You'd be best asking these questions directly of Jeff Lewis.

-[Unknown]

Offline Tyris

  • Sophist Member
  • *****
  • Posts: 1,306
  • Gender: Male
    • Shana Project
Re: SMF Cookie Format?
« Reply #7 on: March 17, 2004, 12:16:36 AM »
ok, thanx for the quick reply... with the number of posts coming in every time I log off... I'm barely reading anything anymore :-[
* Tyris waits for Jeff to logon

Offline Mike Bobbitt

  • Full Member
  • ***
  • Posts: 597
    • Army.ca
Re: SMF Cookie Format?
« Reply #8 on: March 17, 2004, 02:45:33 PM »
Thanks guys,  album.pl is now capable of reading SMF cookies and authenticating against the SMF database.

Keep up the great work!