Detect login change on external page
 

Hi all,

I'm building a site that hops aboard the registration/login facilities of an existing vBulletin installation. I've set up the forum and main site on the same domain, and configured the cookies to be shared between both domains.

On the main site I have a plugin that loads the vBulletin core if required, and lets it detect whether there is a valid login going on. From a performance perspective however, I don't want to spend 0.05 second or whatever it is loading up vBulletin if it's not really required, so I'm using some smart code that only loads it when either the 'bbuserid' or 'bbsessionhash' cookies are set, iow only when the user is logged in to the forum. I then load vB, detect a login, look up the matching front-end data and use that for the rest of the session. Through a session cookie I then enforce that vBulletin is not included in subsequent pageviews.

All fine and dandy, and an extremely worthwhile optimization given that we're talking about a site with 300k unique visitors per month here. However, the one situation not covered here is if the user visits the main site, and then logs out on the forum, and returns to the main site. Since the session data is still valid and vB is not reloaded, the code there still thinks the user is correctly logged in.

Now what I wanted to do was store the bbuserid and bbsessionid cookies during the session, so I can detect changes in them to restart vB authentication, but then found out that bbuserid is only set if you check the 'Remember me' box, and bbsessionhash appears to change like every pageview, disqualifying both for reliable use in this situation.

Are these assumptions correct, and if so, how would I go about detecting a vB login change or logout without reloading the vBulletin core for every page?

A possible solution would perhaps be to write a plugin for vBulletin which stores another session cookie containing the current userId, also for temporary logins, but I'd like to keep the auth system outside vB as much as possible so that I can keep that a 'vanilla install'.

The session table. A row is created (and destroyed) on login/logout.

Well that would mean I'd have to actually query the vB database, which, while better than including the entire vBulletin engine, is something I try to avoid as much as possible. Also, I want to keep it all as independent as possible from future vB updates, which may change the database layout at its leisure.

What I found surprising is that the bbsessionhash cookie changes so much: I would have expected this to change only when a real new session is started on the forum. Could I have misconfigured something there in vB?

Okay I've introduced a simple hook on global_complete which sets a custom cookie with vBulletin's userId. This works fine, and is perfectly secure since I only use it to decide whether or not to reload vBulletin for performance reasons. Won't allow session stealing, since if it changes I'll load vB in full and let it decide who is really logged in.

Only caveat is that when I log out, it appears the global_complete hook isn't called, since the cookie will remain on the userId if I leave the forum right there. I've also tried resetting the cookie on logout_process hook but that doesn't work either.

Any suggestions for this last bit?

Will you post the code here when you figure it out?

Sorry cant help you though. :/

Could you post code (or direct to a thread that has it - i cant find it by searching) that does this externally? I do tons of queries on the vb database allready from my main site (site and forum on same domain), and need to match up the session table with my cookies.

Im doing some external login by creating the bbpassword and bbuserid cookies properly. Apparently my sessions dont match up once I actually navigate from the main site to the forum, and the user appears to not be logged in. Im not sure how to set the row correctly in the session table or how to create a sessionhash.

Thanks to anyone that can help

functions_login.php - function process_new_login()

yes... thats how it works internally!

im talking about directly inserting into the database via query, not function call or creating new instance of vB_Session...

<a href="https://vborg.vbsupport.ru/showpost.php?p=1348192&postcount=4" target="_blank">https://vborg.vbsupport.ru/showp...92&postcount=4</a>