PDA

View Full Version : vb3 cookie userid not set unless 'remember me'?


DavidMacLean
June 21st, 2004, 03:52 PM
Using: vbadvanced cmps, vb3, photopost 48, netscape 7.1

I am not reliably getting the integration between vb3 and photopost.
Sometimes my vb login is recognized by photopost, sometimes not. Paths and domains double-checked, I believe the problem is elsewhere...

Looks like photopost uses the userid cookie ('bb' may be your prefix).

After a little experimenting, it seems this cookie is only set if the user checks "remember me".

Yet vbadvanced cmps and vb3 are able to translate whatever cookies are kicking around into valid logins.

I am beginning to suspect I may need to use the sessionhash to get a record from the session table, check the userid is non-zero, and take that value as the userid.

If this were true, I'd have expected to find discussion of it here?

Anyone recognize this symptom? Am I barking up the wrong tree?

Please and thank you.

Chuck S
June 21st, 2004, 05:50 PM
Photopost uses the true cookie correct. There is a mod I beleive on Photopostdev.com where they modify VB login to always have the checkbox checked.

We use the userid and password to verify a user

DavidMacLean
June 21st, 2004, 07:37 PM
Thank you for the speedy reply and confirmation.

I will check it out over at dev, but from what you are saying, my estimation is correct.

Forcing "remember me" on leaves the cookie on the PC. Public libraries, internet cafes etc. Not always desirable or secure. A tighter integration with vb3 might be something to consider for a future release.

Thanks again.

Bryan Ex
June 21st, 2004, 08:14 PM
David... a fix for that was posted by another user a while back but it seems it's since been purged from the beta forum. Let me check my file notes and I'll send it to you later tonight.

Bryan Ex
June 22nd, 2004, 08:07 AM
Okay David - try this out. It has completely fixed both the "Remember Me" and account activation problems with my VB3 & PhotoPost integration. Credit and thanks go to Interdit for assisting me on this one!

In the vb3.php file ( photopost/forums/vb3.php ) find the following code around line 234;

else {
$cookuser = addslashes($authuser);
list( $userid, $username, $email, $dbpassword, $temppass, $usergroups, $offset, $spoiltvar, $salt ) = get_userinfo( $cookuser );
$md5cookpass = md5(md5(md5($password) . $salt) . $Globals['vblicense']);
}

Right after that add the following;

// Retrouvons l'utilisateur online avec cookie et session -- Interdit

if (isset($_COOKIE['sessionhash'])){

$sessionid= $_COOKIE["sessionhash"];

$query = "SELECT userid FROM {$Globals['dprefix']}session where sessionhash='$sessionid'";
$details = mysql_query($query);
$sessinfo = mysql_fetch_array($details);
$cookuser=$sessinfo['userid'];

list( $userid, $username, $email, $dbpassword, $temppass, $usergroups, $offset, $spoiltvar, $salt ) = get_userinfo( "", $cookuser );

$authuser=$username;
$md5cookpass = md5(md5(md5($password) . $salt) . $Globals['vblicense']);
$cookieok="1";
}

// Retrouvons l'utilisateur online avec cookie et session -- END

A couple of lines down from there find;

$md5dbpass = md5($dbpassword . $Globals['vblicense']);

And add below it;

if ($cookieok=="1") $md5cookpass=$md5dbpass;

Save and upload.

After these changes my users were able to access PhotoPost without the "Remember Me" box checked and they could also start browsing my site directly from the account activation window without having to log out and back in first. I had difficulty with this at first bcause I use a different cookie prefix (in my case "aso") and had to add it to the first couple of lines.

Sample with aso used as cookie prefix;

// Retrouvons l'utilisateur online avec cookie et session -- Interdit

if (isset($_COOKIE['asosessionhash'])){

$sessionid= $_COOKIE["asosessionhash"];

Hope that helps... :)

DavidMacLean
June 22nd, 2004, 11:11 AM
You bet that helps, thank you.

The cookie prefix is given by $Globals['cookieprefix'], but the syntax gets tricky, I hard-coded for now just as you did.

If anyone from the photopost team is listening, also note the logout function in vb3 fails to include the cookie prefix.

Cheers