Hello

I am trying to code some sections on my website to validate users through the VB member database. I was able to figure out how to do that by using the salt and double md5 hashing to compare passwords.

However, I would like to auto-login members if they have already logged into vbulletin. I know that when you login there is a cookie set that contains the userid number, but this is not strong enough to validate a user's login. I think that anybody can spoof the userid in the cookie through the header.

Does anybody know how I can securely validate a user if they are logged in?

thanks in advance

Roy

There are two cookies necessary (which are being set when you log into vB):

(bb)userid and (bb)password where (bb) is the default cookie-prefix (you might have another one).

bbuserid should be obvious.
bbpassword is md5(md5(md5('password') . $salt) . 'LicenseNo')
where LicenseNo ist your license number (found on top of each PHP-file).

There are two cookies necessary (which are being set when you log into vB):

(bb)userid and (bb)password where (bb) is the default cookie-prefix (you might have another one).

bbuserid should be obvious.
bbpassword is md5(md5(md5('password') . $salt) . 'LicenseNo')
where LicenseNo ist your license number (found on top of each PHP-file).
:D

Thanks! I was looking for exactly that information.