Solution now found, check a few posts below...

Ok here is my current project:

I am attempting to have users on my website (www.mysite.com) login and have them also logged in on my forum (forum.mysite.com). They can share cookies as they share the domain, right? When using my login function on my website, I create the bbuserid and bbpassword cookies appropriately. This is fairly simple.

Creating the session does not appear to be. As anyone using external login knows, a row in the session table must be created that has a matching sessionhash to that found in the bbsessionhash cookie.

Im trying to figure out how vbulletin creates the session hash. Ive been able to create the idhash, as well as am able to fill out the userid, host, lastactivity, and useragent fields. I am guessing, since this is external login, that the location field would be set to '/'. The function fetch_sessionhash looks like such a maze... it looks liek an md5 of Time(), $_SERVER['REQUEST_URI'], idhash, user ip, and a random # from 1 to 1000000.

If, in my websites controller, I send a row to the session table containing the info above, along with my bbuserid and bbpassword cookies, will vBulletin think I am logged in? Will it work if I generate the sessionhash that way from my website and then navigate to my forum? If not, how do you create the proper row in the session table in order to be "logged in" on vBulletin?

I have been searching the forums all day for the answer to this, and am unable to find any useable info. Could anyone show me the minimum data to send to the vb_session table in order for external login to work? TIA

:up:

--------------- Added at 21:50 ---------------

Oh and another question... will it work if I just place some random string in the sessionhash and also match that string in the bbsessionhash cookie? Will it find me logged in and just switch these strings once ive navigated to the forum or at least somewhere within the forum?

Why don't you do this.

1. Copy the login form HTML from the navbar template.
2. Replace all the variables ($vbphrase etc), with plain text
3. Add the absolute url to /clientscript/vbulletin_md5.js to make sure it gets included.
4. Add the absolute url to the form's action 'login.php?do=login'

You're done, it'll log you in and redirect you back to where you were.

lol... that sounds way too easy. ill give it a shot...

still, can anyone answer the original question?

You've already found the formula...fetch_session_hash(). Simply trace back the constants.

TIMENOW
define('TIMENOW', time());

SCRIPTPATH
if ($_SERVER['PATH_INFO'] OR $_ENV['PATH_INFO'])
{
$scriptpath = $_SERVER['PATH_INFO'] ? $_SERVER['PATH_INFO'] : $_ENV['PATH_INFO'];
}
else if ($_SERVER['REDIRECT_URL'] OR $_ENV['REDIRECT_URL'])
{
$scriptpath = $_SERVER['REDIRECT_URL'] ? $_SERVER['REDIRECT_URL'] : $_ENV['REDIRECT_URL'];
}
else
{
$scriptpath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_ENV['PHP_SELF'];
}

if ($_SERVER['QUERY_STRING'] OR $_ENV['QUERY_STRING'])
{
$scriptpath .= '?' . ($_SERVER['QUERY_STRING'] ? $_SERVER['QUERY_STRING'] : $_ENV['QUERY_STRING']);
}

$quest_pos = strpos($scriptpath, '?');
if ($quest_pos !== false)
{
$script = urldecode(substr($scriptpath, 0, $quest_pos));
$scriptpath = $script . substr($scriptpath, $quest_pos);
}
else
{
$scriptpath = urldecode($scriptpath);
}

define('SCRIPTPATH', preg_replace('/(s|sessionhash)=[a-z0-9]{32}?&?/', '', $scriptpath));

SESSION_IDHASH
$alt_ip = $_SERVER['REMOTE_ADDR'];

if (isset($_SERVER['HTTP_CLIENT_IP']))
{
$alt_ip = $_SERVER['HTTP_CLIENT_IP'];
}
else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3 }#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches))
{
foreach ($matches[0] AS $ip)
{
if (!preg_match("#^(10|172\.16|192\.168)\.#", $ip))
{
$alt_ip = $ip;
break;
}
}
}
else if (isset($_SERVER['HTTP_FROM']))
{
$alt_ip = $_SERVER['HTTP_FROM'];
}

$alt_ip = implode('.', array_slice(explode('.', $alt_ip), 0, 3));

define('SESSION_IDHASH', md5($_SERVER['HTTP_USER_AGENT'] . $alt_ip));

SESSION_HOST
define('SESSION_HOST', $_SERVER['REMOTE_ADDR']);

SESSIONHASH
$sessionhash = md5(TIMENOW . SCRIPTPATH . SESSION_IDHASH . SESSION_HOST . vbrand(1, 1000000));

well because of the random func on the end, is this even possible? Will a new session be generated once I navigated to the forum regardless of what I insert into the table and set the cookie to?

It appears that after creating the above data, that navigating to the forum creates a new session for a non-logged in user, and overwrites the cookie for the logged in user (or rather, user attempting to log in externally). Therefore, am I safe in assuming that this isnt possible?

--------------- Added at 16:20 ---------------

Why don't you do this.

1. Copy the login form HTML from the navbar template.
2. Replace all the variables ($vbphrase etc), with plain text
3. Add the absolute url to /clientscript/vbulletin_md5.js to make sure it gets included.
4. Add the absolute url to the form's action 'login.php?do=login'

You're done, it'll log you in and redirect you back to where you were.

doesnt work. heres my code (found at the bottom of my website's login routiene):

echo '<form action="http://forum.mysite.com/login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="http://forum.mysite.com/clientscript/vbulletin_md5.js?v=368"></script>
<input type="submit" value="Log in" accesskey="s" />
<input type="hidden" name="s" value="1" />
<input type="hidden" name="vb_login_password" value="' . $user_txtpassword . '" />
<input type="hidden" name="vb_login_username" value="' . $user_name . '" />
<input type="hidden" name="cookieuser" value="1" />
<input type="hidden" name="do" value="login" />
<input type="hidden" name="vb_login_md5password" />
<input type="hidden" name="vb_login_md5password_utf" />
</form>';

runs through it, does nothing.

has anyone here gotten external login to work properly?

i was able to do this by using the php headers function, if anyone is interested in doing this in the future.

you may need to visit www.php.net and research cURL() and the header() funcs to get this to work right

first, my website opens a curl session and emulates the same action as the login form (sends the info through a post array). then, i save the results of the curl session in a string (the results will be the html page that the login routine on VB will return). I then parse the string where the cookies are found - this would be the sessionhash cookie and the other cookies generated by the login routine. i create the userid and such cookies with my own funcs that act just like the login on vb. then i take the string with the session hash in it and store it in a variable to be sent with the header(). sending all 5 headers as setcookie headers properly creates the sessionhash, userid, and other cookies (NOTE: this is *NOT* the setcookie() func, as that will not work from one domain to another).

i can now login externally from my website to the forum.

doesnt work. heres my code (found at the bottom of my website's login routiene):

echo '<form action="http://forum.mysite.com/login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="http://forum.mysite.com/clientscript/vbulletin_md5.js?v=368"></script>
<input type="submit" value="Log in" accesskey="s" />
<input type="hidden" name="s" value="1" />
<input type="hidden" name="vb_login_password" value="' . $user_txtpassword . '" />
<input type="hidden" name="vb_login_username" value="' . $user_name . '" />
<input type="hidden" name="cookieuser" value="1" />
<input type="hidden" name="do" value="login" />
<input type="hidden" name="vb_login_md5password" />
<input type="hidden" name="vb_login_md5password_utf" />
</form>';runs through it, does nothing.

has anyone here gotten external login to work properly?


Sorry, I didn't realize you had replied here.

Here's the code I threw together a month ago. Works fine. Just edit the first two lines, and test it out.

<?php

// ################################################## #################

// Edit this

// Relative or absolute path to your vBulletin installation
define('VBPATH', '../testvb');

// Absolute URL to return to after logging in.
$returnto = 'http://localhost/sites/vb_remote_login/login3.php';

// Done editing


// ################################################## #################
// Get the basics from vB
define('VB_AREA', 'MyExternalSite');
require_once(VBPATH . '/includes/init.php');

$vbphrase = init_language();
$vboptions =& $vbulletin->options;
$bbuserinfo =& $vbulletin->userinfo;

// ################################################## #################
// Simulate a "loginform" template
$loginform = '';
if ($vbulletin->userinfo['userid'] < 1)
{
$loginform = <<<ENDL
<style type="text/css">
.login {background-color:#CCC; border:1px solid #999;}
.login td {background-color:#EEE;padding:4px;}
</style>

<!-- login form -->
<form action="$vboptions[bburl]/login.php?do=login&amp;return=$returnto" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, $show[nopasswordempty])">
<script type="text/javascript" src="$vboptions[bburl]/clientscript/vbulletin_md5.js?v=$vboptions[simpleversion]"></script>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" class="login">
<tr>
<td class="smallfont"><label for="navbar_username">$vbphrase[username]</label></td>
<td><input type="text" class="bginput" style="font-size: 11px" name="vb_login_username" id="navbar_username" size="10" accesskey="u" tabindex="101" value="$vbphrase[username]" onfocus="if (this.value == '$vbphrase[username]') this.value = '';" /></td>
<td class="smallfont" colspan="2" nowrap="nowrap"><label for="cb_cookieuser_navbar"><input type="checkbox" name="cookieuser" value="1" tabindex="103" id="cb_cookieuser_navbar" accesskey="c" />$vbphrase[remember_me]</label></td>
</tr>
<tr>
<td class="smallfont"><label for="navbar_password">$vbphrase[password]</label></td>
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
<td><input type="submit" class="button" value="$vbphrase[log_in]" tabindex="104" title="$vbphrase[enter_username_to_login_or_register]" accesskey="s" /></td>
</tr>
</table>
<input type="hidden" name="s" value="$session[sessionhash]" />
<input type="hidden" name="do" value="login" />
<input type="hidden" name="vb_login_md5password" />
<input type="hidden" name="vb_login_md5password_utf" />
</form>
<!-- / login form -->
ENDL;
}

// ################################################## #################
// Simulate a "logoutlink" template
$logoutlink = '';
if ($vbulletin->userinfo['userid'] > 0)
{
$logoutlink = <<<ENDL
<a href="$vboptions[bburl]/login.php?$session[sessionurl]do=logout&amp;logouthash=$bbuserinfo[logouthash]&amp;return=$returnto" onclick="return log_out('$vbphrase[sure_you_want_to_log_out]')">$vbphrase[log_out]</a>
ENDL;
}

// ################################################## #################
// Simulate the page's template
$pageoutput = <<<ENDL
<html><head><title>Non-vB Page</title></head>
<body>
<hr>
$loginform
$logoutlink
<hr>
</body>
</html>
ENDL;

// ################################################## #################
// Send to browser
echo $pageoutput;
die;
?>

ianskate, it sounds like you have a good solution. I'm pretty competent with curl, but since I'm in the same EXACT situation as you (forum is on a subdomain, on the same server), would you mind sharing your code? :erm: That would save me at least a couple of hours coding and debugging.

Thanks in advance! -Matt

This is amazing, I've been wondering how to make users logged from bbpixel's joomla bridge appear in useronline... but it doesn't seem easy at all.

I get it you need to build a sessionhash yourself and put it in the sessiontable? what happens if you just insert a row in vbsession with userid and location?