PDA

View Full Version : v3.8.1 logouthash


shiznatix
07-15-2009, 02:27 PM
Hey,

Does anyone know how the logouthash is created in v3.8.1? I have found this thread: https://vborg.vbsupport.ru/showthread.php?t=101601 but it seams quite dated so I was wondering if there was anything new (as I believe there to be) and how they make it now. Thanks!

Dismounted
07-16-2009, 07:29 AM
AFAIK, it is simply the session token now.

shiznatix
07-16-2009, 09:34 AM
Whats the session token and where do I find it? Its not the session id, and not the session hash that are in the session table so where do I get the token?

Also, I don't think its just the session token. If you try to logout with a blank logouthash it gives you an error and says "click here to logout" and the link has a new logouthash on it. But if you refresh the page the logouthash changes so if it was just based on the session id then it would not change. Also, look at how it looks: 1247739885-e72547c8fad34e0149248154a4ade6e3f9dd5542 it looks like an id of some sort and then a hash of well...something.

Any other ideas as to where I can find this mysterious logouthash creation code?

Dismounted
07-16-2009, 09:50 AM
Sorry, I actually meant security token - not session. :p

shiznatix
07-16-2009, 10:50 AM
Aye, I have found this part out but I am wondering how the security token is created, stored, found, etc. I am sharing the session between the forum and our main site but on the main site I need the logout button and for this I require the logouthash / security token creation code.

--------------- Added 1247746146 at 1247746146 ---------------

Never mind, I found the code! To create the securitytoken (which is the logouthash) you do this:

$user['securitytoken_raw'] = sha1($user['userid'] . sha1($user['salt']) . sha1(COOKIE_SALT));
$user['securitytoken'] = TIMENOW . '-' . sha1(TIMENOW . $user['securitytoken_raw']);

Dismounted
07-16-2009, 11:36 AM
Note that the cookie salt is your license number.