I'd like to use the registration system of VBulletin to verify/identify users for a perl script I've got.

Ideally I'd like a link in VBulletin (ie: a link forum) to fire off my perl script. As part of that link I'd include the current session id of the user. On entering my perl script I'd then read the session table from the SQL database for the session id (passed to me) to get the username & if they're logged on (userid/loggedin).

From there my script should be happy. ie: I know that the person accessing my script has logged in successfully to VBulletin to get that far and I can take over from that point...


My questions are simply:-
a) Can I include the users session id in a link (somehow)? Preferably as a "Forum Link", ie: A forum definition that's actually a link. Or could I hardcode it in a template using the forum ID and include the session id in there somehow?
b) I know from Perl I can read MYSQL etc, so I assume I can read the "session" table/record using "sessionhash" and check "userid" and "loggedin" are OK?
c) If I wish to take a payment to allow access to the perl script, how could I use the subscription system in VBulletin? ie: What record/table would I have to read to see if the user has subscribed/paid?


I've very new to VBulletin so I apologise if any of these questions are noobish!

Using VBulleting to verify users would really help my site. Taking payments/subscription via VBulletin would be a nice bonus! :)

A session ID is not a suitable means of authenticating somebody. A link with a session ID can be copied and pasted to some other site, and when users click the link, your script will think that they're authenticated.

A session ID is not a suitable means of authenticating somebody. A link with a session ID can be copied and pasted to some other site, and when users click the link, your script will think that they're authenticated.

a) Surely a session ID is only valid for X minutes or so? ie: When I go to the forum, it recognises my logon and assigns me a sessions ID. When I stop using the forum, the session record will surely be deleted within X minutes? Therefore if I try and use my suggested link after these X minutes, the session record wouldn't even exist and authentication in my script would not be valid (as it wouldn't find a session record)?

b) My script would ensure the request came from my site; The REFERER (referrer) would have to be my site. ie: Someone not could post a link on another site (as you suggest), and loads of people click it within the X minutes.

c) I could even take one step further and validate say the first 3 elements of the IP address - if that's what is held in "location" on that session table?

Surely this is a fairly good means of me piggy-backing of the VBB authentication system?

a. That timeout is configurable. The default is 20 minutes, but it can be anything the administrator specifies.
b. A referer can be faked.
c. An IP address is not a sufficient means of authenticating, especially only the first three octets which can be used for a pool of DHCP addresses.

a. That timeout is configurable. The default is 20 minutes, but it can be anything the administrator specifies.
b. A referer can be faked.
c. An IP address is not a sufficient means of authenticating, especially only the first three octets which can be used for a pool of DHCP addresses.

What I'm after here is a reasonably realistic way of using the registration system of VBB to authenticate users, not a system that would be used by the CIA :)

The above three suggestions used in combination would mean that someone could potentially get their session id, and give it to someone else, but it would only work if they did so within 20 minutes, and the other person was in their local area. But in general it's pretty tight? It would also mean they were risking the other person going into their VBB account itself!

Can you maybe suggest what might work, rather than what won't? :)

Am I right in saying that if someone has cookies enabled then the session id is held in cookies? As such could I only include the session id in my link from VBB to my software if cookies are disabled?


So my software would first of all interrogate cookies for the session id, and then failing that look for it in the URL. This would make it even more secure?


Any suggestions/help would be most appreciated...

i think there is a cookie vb stores that you could look for as an extra check, i'm not 100% sure but i think it stores something like:

md5(customer_number . md5(md5(md5(password) . salt)))

you could find out exactly what it is thats stored and use that