SMF Cookie Format?

Started by Mike Bobbitt, March 16, 2004, 02:23:17 PM

Previous topic - Next topic

Mike Bobbitt

Hi all,

I'm the author of album.pl, a photo gallery that can be used with SMF (among other forums).

I'd like to be able to read (but not write) SMF cookies for auto-login. Problem is, they're different from what I've seen in the past. Anyone know what the format is?

Looks like it's got the username (escaped somehow?) and then a hashed password, but I can't guess the format of either. Before I go digging in the code, I thought I'd ask here.


Thanks

Grudge

Hi,

The cookie is set here:

setcookie($cookiename, serialize(array($ID_MEMBER, $password)), time() + (60 * $modSettings['cookieTime']), $cookie_url[1], $cookie_url[0], 0);


As you can see it's a serialized version of the ID_MEMBER and the password. The password itself is generated by these two lines:

$md5_passwrd = md5_hmac($_REQUEST['passwrd'], strtolower($_REQUEST['user']));
$password = md5_hmac($md5_passwrd, 'ys');


So basically it's double hashed, and uses the username and password entered by the user to generate the "password".

md5_hmac is a custom function used by SMF and is this:

// MD5 Encryption.
function md5_hmac($data, $key)
{
if (strlen($key) > 64)
$key = pack('H*', md5($key));
$key  = str_pad($key, 64, chr(0x00));

$k_ipad = $key ^ str_repeat(chr(0x36), 64);
$k_opad = $key ^ str_repeat(chr(0x5c), 64);

return md5($k_opad . pack('H*', md5($k_ipad . $data)));
}


Hope this helps.
I'm only a half geek really...

Mike Bobbitt

Thanks, that's exactly the info I was looking for... Appreciate you providing the code sample and the explaination! Looks like I'll have an "SMF compatibile" version shortly...  8)


Cheers

[Unknown]

Just a warning, not trying to be mean or anything here, but do remember that the code he quoted is *still* under the same license as the other SMF code.

We're looking into the possibility of offering that and other segments in other languages in different licenses.  However, this is important to note if you are using GPL or etc. as your license.

Please contact Jeff Lewis or Joseph Fung - or even me - for more information.

Thanks,
-[Unknown]

Mike Bobbitt

Ahhh, thanks for the note... album.pl is actually written in perl, so none of the SMF code will appear in it. In fact, I believe I can do the "double HMAC" bit with builtin packages. It looks identical to the YaBB SE HMAC method, which I've already written in Perl.

Good to know though, as it wouldn't have crossed my mind otherwise.

Thanks again...

Tyris

hmmm... with relevance to [Unknown]'s post... what does this mean for CMS authors...? basically: are we allowed to use that code in any cms's that we write... :S? of not... how much would we be able to 'replicate' or whatever for it to be legal...? and is this the same if the cms is not going to be distributed at all?

[Unknown]

You'd be best asking these questions directly of Jeff Lewis.

-[Unknown]

Tyris

ok, thanx for the quick reply... with the number of posts coming in every time I log off... I'm barely reading anything anymore :-[
* Tyris waits for Jeff to logon

Mike Bobbitt

Thanks guys,  album.pl is now capable of reading SMF cookies and authenticating against the SMF database.

Keep up the great work!

Advertisement: