Shadeauxe
06-17-2009, 03:35 PM
I am a ColdFusion programmer. I don't know anything really about PHP. I spent most of yesterday searching for posts about the vbulletin cookies and sessions. I found many useful posts that helped me figure out how all of the cookies got their variables.
I have created all of the cookies that I believe I need to and made an entry in the session table, but I must be missing something because the forum still acts like it doesn't know who I am.
Here's what I have done:
Cookies
All cookies are set to .domainname.com and have a path of /
bbpassword - md5 hash of password from db and the serial number, my cookie matches the one set when I log in for real exactly
bbuserid - set to my userid in the vbf_user table
bbsessionhash - md5 hash of timestamp+path+idhash(agent+client IP)+agent+random#, as far as I can tell this is correct but it's impossible to make a match because of the random number
bblastactivity - this is set to 0 because that's what it gets set to when I log in, I tried timestamp also but it didn't seem to matter
bblastvisit - timestamp (# of seconds since 1/1/1970 at midnight)Query
(CF uses # for its variables)
<cfquery name="addsession" datasource="forums">
INSERT INTO vbf_session
(sessionhash, userid, host, idhash, lastactivity,
styleid, loggedin, bypass, useragent,location)
VALUES ('#sessionhash#',#getuser.userid#,'#cgi.REMOTE_ADD R#',
'#idhash#',#epochdate#,0,2,0,'#cgi.HTTP_USER_AGENT #'
,'/index.php')
</cfquery>
My idhash exactly matches the one created by vbulletin when I log in normally. "#sessionhash# matches what I put into the cookie. Everything I insert into that table matches what vbulletin adds, except session hash, but that matches my cookie.
Obviously, I am missing something, but I don't know enough about vbulletin's process of verifying sessions to figure out what it is.
I've looked at the core file (I don't remember the full path and exact name) and I see that it compares the session hash in the db with what I assume is the cookie (again I am unfamiliar with php) and checks the last active date against now+timeout and the IP address. I assume that query must be failing somehow or else this would work.
The backup query look like it should use the cookies of userid and password if sessionhash lookup fails, but that doesn't seem to be working for me either even though my cookies are identical.
The only difference between my cookies and the vbulletin cookies is that mine has capital names, which CF is doing on its own. But I didn't think cookie names were case sensitive.
Any help would be very appreciated. I have been researching this for hours and it's been very frustrating. I realize there are other ways for me to accomplish this using php, but I need to use CF because of other stuff that is going on.
--------------- Added 1245262663 at 1245262663 ---------------
I fixed it. My problem was the cookie names. Apparently, even though cookie names should be case insensitive, PHP is case sensitive.
In case anyone else looks this up, to get ColdFusion to make lowercase cookie names, you have to use the cfheader tag...
<cfheader name="Set-Cookie" value="bblastactivity=0; expires=1;domain=.domainname.com;path=/">
I have created all of the cookies that I believe I need to and made an entry in the session table, but I must be missing something because the forum still acts like it doesn't know who I am.
Here's what I have done:
Cookies
All cookies are set to .domainname.com and have a path of /
bbpassword - md5 hash of password from db and the serial number, my cookie matches the one set when I log in for real exactly
bbuserid - set to my userid in the vbf_user table
bbsessionhash - md5 hash of timestamp+path+idhash(agent+client IP)+agent+random#, as far as I can tell this is correct but it's impossible to make a match because of the random number
bblastactivity - this is set to 0 because that's what it gets set to when I log in, I tried timestamp also but it didn't seem to matter
bblastvisit - timestamp (# of seconds since 1/1/1970 at midnight)Query
(CF uses # for its variables)
<cfquery name="addsession" datasource="forums">
INSERT INTO vbf_session
(sessionhash, userid, host, idhash, lastactivity,
styleid, loggedin, bypass, useragent,location)
VALUES ('#sessionhash#',#getuser.userid#,'#cgi.REMOTE_ADD R#',
'#idhash#',#epochdate#,0,2,0,'#cgi.HTTP_USER_AGENT #'
,'/index.php')
</cfquery>
My idhash exactly matches the one created by vbulletin when I log in normally. "#sessionhash# matches what I put into the cookie. Everything I insert into that table matches what vbulletin adds, except session hash, but that matches my cookie.
Obviously, I am missing something, but I don't know enough about vbulletin's process of verifying sessions to figure out what it is.
I've looked at the core file (I don't remember the full path and exact name) and I see that it compares the session hash in the db with what I assume is the cookie (again I am unfamiliar with php) and checks the last active date against now+timeout and the IP address. I assume that query must be failing somehow or else this would work.
The backup query look like it should use the cookies of userid and password if sessionhash lookup fails, but that doesn't seem to be working for me either even though my cookies are identical.
The only difference between my cookies and the vbulletin cookies is that mine has capital names, which CF is doing on its own. But I didn't think cookie names were case sensitive.
Any help would be very appreciated. I have been researching this for hours and it's been very frustrating. I realize there are other ways for me to accomplish this using php, but I need to use CF because of other stuff that is going on.
--------------- Added 1245262663 at 1245262663 ---------------
I fixed it. My problem was the cookie names. Apparently, even though cookie names should be case insensitive, PHP is case sensitive.
In case anyone else looks this up, to get ColdFusion to make lowercase cookie names, you have to use the cfheader tag...
<cfheader name="Set-Cookie" value="bblastactivity=0; expires=1;domain=.domainname.com;path=/">