Hi all,

I have searched for a precise answer to this question in the forums, but while this seems a common request, no precise solution has been given yet.

What we want to do is simple. We have a forum shared by many websites; we are now adding services for registered users only also in our websites. So, for example, a registered user will be able to vote in an article, to submit a review, and so on. Of course, it wouldn't make sense to ask users to register for the forums and the websites separately, so we'd just like to use the forums' user database also within the websites.

I have seen there are many issues, first of all problems in setting cookies simultaneously for different domains. Can someone help me in some way? Any suggestion would be extremely welcome! Thank you!

This is a FAQ and has been answered over and over agein already ;)

OK, so once more:
Cookies are bound to one domain only, so there is no way (without tricks like 1px images to transport cookies) to use one cookie on 2 domains.

To identify a vBulletin user, 2 cookies are important: bbuserid and bbpasword (where bb is a cookie-prefix, .could also be smth. else -> config.php)

Cookie bbuserid should be obvious: this is the userid.
Cookie bbpassword is a bit more complicated. This md5(md5(md5('PlaintextPassword'), salt), 'LicenseNo').
PlaintextPassword is the password, salt the value of column salt (in table user) for this user, LicenseNo is you vBulletin license number.

Column password in table user is md5(md5('PlaintextPassword'), salt).

Does this help you?

This is a FAQ and has been answered over and over agein already ;)

OK, so once more:
Cookies are bound to one domain only, so there is no way (without tricks like 1px images to transport cookies) to use one cookie on 2 domains.

To identify a vBulletin user, 2 cookies are important: bbuserid and bbpasword (where bb is a cookie-prefix, .could also be smth. else -> config.php)

Cookie bbuserid should be obvious: this is the userid.
Cookie bbpassword is a bit more complicated. This md5(md5(md5('PlaintextPassword'), salt), 'LicenseNo').
PlaintextPassword is the password, salt the value of column salt (in table user) for this user, LicenseNo is you vBulletin license number.

Column password in table user is md5(md5('PlaintextPassword'), salt).

Does this help you?
Thank you for the reply.

I never coded a cookie based script, but I should be able to do it. Anyhow, the problem is I don't know how to make so that once the user is logged in in a website, he is automatically logged in when he visits another website on our network. What should I do? Create one cookie for each domain whenever the user login in a website (so, when he logins in site1.com he gets the cookies for site1.com, site2.com, site3.com, site4.com)?

@Carlito

Take a look at:
https://vborg.vbsupport.ru/showthread.php?t=70429
https://vborg.vbsupport.ru/showthread.php?t=70296

@Carlito

Take a look at:
https://vborg.vbsupport.ru/showthread.php?t=70429
https://vborg.vbsupport.ru/showthread.php?t=70296
Sigh, nobody can answer this problem here?

Sigh, nobody can answer this problem here?
Its not simple in any means. and what I've figured to work requires 1 single server and 1 single database. plus requires quite abit of work ontop of that.

I would love to see a similar mod (if not the same).

I am just about to buy a few more vb licenses for different domains / websites. I would like all the vbulletin forums of mine to share the same user database. e.g a user signs up to one site and will become a member of all my vb sites. I presume he will have to login to each because of cookies (correct me if Im wrong), but he would keep all the cp settings / username / pw etc.

If it's possible, then a few questions... Would all domains have to be on same server? (security reasons?) Could the usergroups be modified per each forum (im aware it would be a lot more coding)?

I wouldn't mind paying for a decent and reliable code. Please PM me if you interested in or post here if you have any useful suggestions, I would be grateful.

Thanks

oops should i open a thread in paid services? Or should I just camp here waiting for my saviour lol

The reason you won't find any clear solution to this problem is simply that for security reason no browser will allow setting a cookie for a different domain. Imagine what could happen if another website could access/set/change a cookie for your website.

Coffee2k3,

I've have been struggling with the same problem as well. But there simply isn't a simple solution to it, or any solution for that matter that covers it.

What you could (and please correct me if I am wrong as I only read this somewhere, peeps), is to include global.php and let people login to their accounts. It will mean a multiple login, but then again you will have access to the right information.

I am going to give that a try in the near future, as we're stuck with a .net and .tv on the same server where the .tv is the forum and the .net is the site itself.

Thanks for the replies MarcoH64 and Digma

Sorry if I wasn't clear in my post, I don't mind if members will have to login each time they visit another forum of mine - I just want the same user information (username and password, usercp settings) to be shared between my forums. To be able to set primary usergroups would be a great advantage if possible but there are ways to get around it.

My forums currently consist of 4 vBulletin forums each running vb2 code. There are two domains with one domain having 3 forums. The mod we made for vb2 centralized some tables into a shared database. The tables included user, userprofile, usergroups, privatemessage and about 6 others. This permits our users to have one username/password combination and use it across each of our 4 forums.

Since one forum uses a different domain, they won't be logged on automatically if they were logged on using the other domain. However, if they stay in the same domain, they will remain logged in when they are using cookies.

Who cares about vb2.... Well, that was our starting point. I've made similar modifications already for vbulletin 3 code. I've tested my changes that share about 20 tables.

How much to share depends on your implementation. For example, we opted to share calendar and holiday data. Others may not want that shared.

We've abandoned our need for this modification. I've already put in over 100 hours towards this modification, but we're doing something else. So far, the modification is over 900 lines.

As far as the cookie issue discussed, I did have to change that area as well since it depends on the license number. And with multiple license numbers, I needed something common. Problem solved.

I also added a flag to "unshare" the tables. This is required anytime you want to upgrade your forums. Otherwise, updating may fail depending on what changes the vBulletin update script makes.

I also have not completed necessary admin/mod panel modifications. Fox example, if you delete a user in one forum, the other forums would need to have posts removed if that is what you want. Birthday cron messages should only go out for one forum. These backend features are where I left off.

Are you a programmer who could take what I have and use it for your own modification? I can't justify continuing to make this modification since I no longer need it.

I guess PM me if you want to work something out. It would probably be best if I just handed my work (as a diff file) over to you and let you continue it from here.

Unless you're a programmer, I wouldn't advise using this modification. We've used it on vb2 for 3 years with vb2. This and other modifications caused many, many months delay in implementing a vbulletin 3 solution. And in the end, we're having to go a different route. Further, each time a new version of vBulletin is released, at least one hour of patching and verification is required. I've improved my efficiency in upgrading, but every time I must look at the changes and think through how it impacts a shared user environment--specifically looking for new queries or changes to existing tables/queries. If you don't do these things, you may encounter problems. To those users who say, "I upgraded in 5 minutes thanks to Beyond Compare." I say, "More power to ya, buddy!"

thanks all for replying. I will think of something else to do it!

thanks all for replying. I will think of something else to do it!

I was just thinking of one thing. Please follow me, and tell me if this could help:

1 - two different domains need the same user authentication. They are mywebsite1.com and mywebsite2.com.
2 - I have another website, named mynetwork.com. I create virtual subdomains web1.mynetwork.com and web2.mynetwork.com, redirecting respectively to mywebsite1.com and mywebsite2.com.
3 - Now, if I try to set a cookie from mywebsite1.com for *.mynetwork.com, would it work on both websites?

Thanks!

Had another idea... but maybe it's not doable.

What if I include an image in all my websites coming from the same forum's domain. Let's say I have mywebsite2.com and in it I put something like

include("http://mywebsite1.com/printimage.php");

This script will print an image AND will set a cookie for mywebsite2 when the user login in mywebsite2...

1 - two different domains need the same user authentication. They are mywebsite1.com and mywebsite2.com.
2 - I have another website, named mynetwork.com. I create virtual subdomains web1.mynetwork.com and web2.mynetwork.com, redirecting respectively to mywebsite1.com and mywebsite2.com.
3 - Now, if I try to set a cookie from mywebsite1.com for *.mynetwork.com, would it work on both websites?

If you had all the forums installed as subdomains, I think I'm correct in saying that you could share the cookies across them, but it's possible that the login script would need to sit on the main domain.

For instance, I think example.com can create cookies which are accessible by *.example.com (site1.example.com, site2.example.com, etc..) but site1.example.com cannot create cookies for site2.example.com.

Therefore, the best way I can see of doing this is to create a master login script on example.com, then modify all forums to redirect to this script when a login is required. Obviously this doesn't address the shared user database issues you may encounter.



Had another idea... but maybe it's not doable.

What if I include an image in all my websites coming from the same forum's domain. Let's say I have mywebsite2.com and in it I put something like

include("http://mywebsite1.com/printimage.php");

This script will print an image AND will set a cookie for mywebsite2 when the user login in mywebsite2...

I think you're confusing a few techniques here. A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:


<?

echo '<img src="http://www.site1.com/login_image.php?username=' . $_POST['username'] . '&password=' . $_POST['password'] . '" />';

?>


Without testing this, I couldn't say if this poses any security risks, but I would favour the master login script method I mentioned above.

Something worth remembering is that if you use PHP to include a file from an external webserver, it will make an HTTP request for that file, which means the file will be executed by PHP on the other server in the same way it would be if you were browsing to it - the diffence is that the "browser" in this case will be your webserver, and not the user, thus any cookies that are set will not go to the user's browser. Also, your server will only see the results of the script after it has been executed on the other server, so will not have access to any of the functions defined within that file.

Hope this all makes sense, and helps :)

Paul.

If you had all the forums installed as subdomains, I think I'm correct in saying that you could share the cookies across them, but it's possible that the login script would need to sit on the main domain.

For instance, I think example.com can create cookies which are accessible by *.example.com (site1.example.com, site2.example.com, etc..) but site1.example.com cannot create cookies for site2.example.com.

Therefore, the best way I can see of doing this is to create a master login script on example.com, then modify all forums to redirect to this script when a login is required. Obviously this doesn't address the shared user database issues you may encounter.




I think you're confusing a few techniques here. A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:


<?

echo '<img src="http://www.site1.com/login_image.php?username=' . $_POST['username'] . '&password=' . $_POST['password'] . '" />';

?>


Without testing this, I couldn't say if this poses any security risks, but I would favour the master login script method I mentioned above.

Something worth remembering is that if you use PHP to include a file from an external webserver, it will make an HTTP request for that file, which means the file will be executed by PHP on the other server in the same way it would be if you were browsing to it - the diffence is that the "browser" in this case will be your webserver, and not the user, thus any cookies that are set will not go to the user's browser. Also, your server will only see the results of the script after it has been executed on the other server, so will not have access to any of the functions defined within that file.

Hope this all makes sense, and helps :)

Paul.
Hello,

thanks for clearing things up a bit! No, unfortunately, not all domains are subdomains, I have also completely different domains, so I guess I cannot use the main login script approach you suggested...

Hello,

thanks for clearing things up a bit! No, unfortunately, not all domains are subdomains, I have also completely different domains, so I guess I cannot use the main login script approach you suggested...
How does the image thingy work exactly?

This is a FAQ and has been answered over and over agein already ;)

Column password in table user is md5(md5('PlaintextPassword'), salt).

Does this help you?

Bit of a long shot but does anyone know If I can reproduce the password in VB.Net. I'm trying to create a 'Post a Comment' link on another site which is .Net, tried all sorts of variations of MD5 but the resulting hash code is never the same as the database.

Bit of a long shot but does anyone know If I can reproduce the password in VB.Net. I'm trying to create a 'Post a Comment' link on another site which is .Net, tried all sorts of variations of MD5 but the resulting hash code is never the same as the database.
I had another idea - please let me know if this may lead to some problems -

1) I have mysecondarywebsite.com;
2) user insert his username/password;
3) he is sent to mymainwebsite.com with username and password as _POST data. They are checked against vb database. If correct, cookies are set. He is sent back to mysecondarywebsite.com;
4) his cookies are verified again at mysecondarywebsite.com and set also for that domain.

The problem is that if I have more than one website it is going to be a mess.

Then, another thing I could do is to put all the forms processing pages to insert data, together with the main login script, on mymainwebsite.com. When the user enters a value on mysecondarywebsite.com or on mythirdwebsite.com, he is redirected to a script on mymainwebsite.com with all info he has submitted as POST data. Now, in this script I will check also for identity of the user before inserting data...

A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:


In the end, this seems the easiest solution but I am concerned about security. Can somebody tell me which kind of security holes this may open?

Thanks!

I don't see how it would be a problem if you had multiple vB copies (legal) and just used ONE of the copies accross all of the sites. Link them all to the same database, and just go from there.

Hi,

I'm not an expert on this subject but i may have a solution.

Why don't you point all your domains to one domain with several licenced vb3's on that server, each in separate directory's and seperate databases?

Could the cookie monster work then?

Has anybody ever come up with a working solution? I would love to have many VB sites that use just the same user table!

I would love to see a mod that allowed this. I'd be willing to pay well for it :)

I would pay as well, but sadly it appears that you can only do this without editing virtually every vB file if you use... IPB

Go figure

Bit of a long shot but does anyone know If I can reproduce the password in VB.Net. I'm trying to create a 'Post a Comment' link on another site which is .Net, tried all sorts of variations of MD5 but the resulting hash code is never the same as the database.


rarrrr. Zombie thread! Probably too late to help you, but hopefully others will find it while searching.

I was having this exact same problem because .net's inbuilt FormsAuthPasswordFormat doesn't work the same as php. The following crappy snippet I came up with works for me with 3.6.0 and salted passwords.

ASCIIEncoding ae = new ASCIIEncoding();
MD5 md5 = new MD5CryptoServiceProvider();
byte[] data = new byte[ae.GetByteCount(str)];
byte[] result = md5.ComputeHash(ae.GetBytes(str));
password = "";

for (int i=0; i<result.Length;i++)
{
password += (Uri.HexEscape(Convert.ToChar(result[i]))).Remove(0,1).ToLower();
}

Hi folks. I gave up on the nay-sayers and did my own project. Requires no modification of VB pages, just a plugin.

http://nowonder.com
http://macosx.com

Share the same forum, you can login to one site, and if you use the top right link to the other site or any link that links directly to the other site without a redirect will keep your same session active.

This works on the same server, can be same or different ips, different servers and in my scenario it shares the same DB. No javascript used or issuing illegal cookies or quick/stupid redirects.

We provide high level forum integration between sites but comes at a fee. If you are interested in this, please IM me with your information and requirements. Everyone has unique needs so we customize solutions for your needs and let you know if its possible. (we don't listen to everyone else that say it isn't)

Scott

Cookie bbpassword is a bit more complicated. This md5(md5(md5('PlaintextPassword'), salt), 'LicenseNo').
PlaintextPassword is the password, salt the value of column salt (in table user) for this user, LicenseNo is you vBulletin license number.

I've been looking for just this, and was very happy to read this. I have a forum under forum.domain.com and another site at www.domain.com, so the domain is the same. But they are to different sites. I want to create ONE login and thought if I made the exact same cookies on the www-site as the forum made I would be all set... I tried setting the userid and password, but didn't help.

Then I found your post. Finally I found the answer and was able to set the bbuserid and bbpassword cookies exactly the same as the forum sets it. But it still doesnt work.

I log in to the main site, the bbuserid and bbpassword cookies are set correctly, but when I go on the forum I'm still not logged in.

Edit:
Seems like this is because the sessionhash cookie isn't correct set... Do you have the recipe for that cookie as well and how that cookie is set up?

Like the last poster, I am able to authenticate the user fine and set the cookies on the forum server, but for some reason when I got to my forum homepage and hit refresh, the user is not logged in.

I have tried various methods as well but no luck.

-I've tried using cURL and sending my user info to login.php

-I've tried running this function after I set my cookies too: process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']); but no luck

Any help? I'm using the lastest version of VB. Basically the user session is not created.

Thanks.

This works for me to log in a user. I'm using vBulletin 3.6.8. I pulled the following from a larger module; hopefully I got everything necessary:

require_once(FORUMPATH.'/includes/init.php');
require_once(FORUMPATH.'/includes/functions.php'); // vbsetcookie, etc.
define('PERMANENT_COOKIE', false);

function fetch_userinfo_from_username($username)
{
// This duplicates the functionality of fetch_userinfo(),
// only with the user name instead of numeric ID as the argument.
// Adapted from verify_authentication() in functions_login.php

global $vbulletin;
$username = strip_blank_ascii($username, ' ');
$vbulletin->userinfo = $vbulletin->db->query_first(
"SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM "
. TABLE_PREFIX . "user WHERE username = '" .
$vbulletin->db->escape_string(htmlspecialchars_uni($username)) ."'");
return $vbulletin->userinfo;
}


// ======== USER LOGIN / LOGOFF ========

function login($username)
{ // password not needed -- assumes you've already authenticated it
global $vbulletin;
fetch_userinfo_from_username($username);
// set cookies
vbsetcookie('userid', $vbulletin->userinfo['userid'],
PERMANENT_COOKIE, true, true);
vbsetcookie('password',
md5($vbulletin->userinfo['password'].COOKIE_SALT),
PERMANENT_COOKIE, true, true);
// create session stuff
process_new_login('', 1, '');
}


function logout()
{
process_logout(); // unsets all cookies and session data
}


This seems to work pretty well. It cleanly logs on and establishes all the session stuff, and cleanly logs off.

I have a much more complete version of the code above, to create, delete, log on, log off, and modify users in this article.

-A