vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   YUI and vB SESSIONURL question (https://vborg.vbsupport.ru/showthread.php?t=209669)

JamesAB 03-28-2009 04:02 AM
YUI and vB SESSIONURL question
 
I'm trying to use the YUI uploader with a vBulletin script, but I'm having trouble with SESSIONURL.

This works for me without SESSIONURL:
Code:
function upload() {
    if (fileID != null) {
        uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php",
                        "POST",
                        {"do":"doupload",
                "albumid":jababumid,
                "jabuniquezip":jabuniquezip,
                "securitytoken":SECURITYTOKEN},
                "upload");
        }       
}
However, I think I should be using SESSIONURL with securitytoken. :confused:

When I change the line to:
Code:
SESSIONURL + "securitytoken":SECURITYTOKEN},
Now I get a javascript error.

Is SESSIONURL supposed to be empty or NULL sometimes?

Any ideas or advice?

Thanks,
James

TigerC10 03-28-2009 05:15 AM
SESSIONURL is supposed to be empty all the time. The only time it gets used is when vBulletin has a problem with storing the Session Hash in the cookies. Instead of using SESSIONURL, try pulling the SessionHash from the cookies.

PHP Code:
$vbulletin->input->clean_array_gpc('c', array(
//COOKIE_PREFIX.'userid' => TYPE_UINT,
//COOKIE_PREFIX.'password' => TYPE_STR,
//COOKIE_PREFIX.'styleid' => TYPE_UINT,
//COOKIE_PREFIX.'lastactivity' => TYPE_UINT,
//COOKIE_PREFIX.'lastvisit' => TYPE_UINT,
//COOKIE_PREFIX.'cpsession' => TYPE_STR,
COOKIE_PREFIX.'sessionhash' => TYPE_STR
));

$sessionhash $vbulletin->GPC[COOKIE_PREFIX.'sessionhash']; 
Then you can use the $sessionhash variable in place of SESSIONURL, or define SESSIONURL to be $sessionhash, you know - whatever.

JamesAB 03-29-2009 01:41 AM
Okay. So from a security point of view, do I need SESSIONURL when passing an upload post from YUI to my PHP script?

There doesn't seem to be any official vBulletin/YUI guides yet. I've only found the stock reply indicating that connections should be called with this format.

Code:
YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
        success: this.handle_ajax_response,
        failure: this.handle_ajax_error,
        timeout: vB_Default_Timeout,
        scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);
This works for me using SESSIONURL as part of the request, but as I mentioned above it isn't working with the YUI uploader example I posted.

Bottom line, do I need to find a way to incorporate SESSIONURL (or $sessionid as TigerC10 suggested) with YUI's uploader in order to fully take advantage of vBulletin's CSRF protection scheme?

Or will using SECURITYTOKEN alone suffice?

Thanks,
James

TigerC10 03-29-2009 01:49 AM
I typoed that, $sessionid was supposed to be $sessionhash, I fixed my previous post. See my code sample for how to get at it.

I believe that the security token is matched up to the value in the database based on the session, so you do need it.

JamesAB 03-29-2009 03:47 AM
Thanks for your help TigerC10.

I'm still trying to understand why they are recommending

Code:
SESSIONURL + 'securitytoken=' + SECURITYTOKEN
versus simply

Code:
'securitytoken=' + SECURITYTOKEN
if SESSIONURL is normally empty. :confused:

As I found out above with the YUI uploader

Code:
"securitytoken":SECURITYTOKEN
works (for me) with CSRF enabled , but

Code:
SESSIONURL + "securitytoken":SECURITYTOKEN
gives me a javascript error.

Maybe I'll have to ask this same question in the CSRF thread in the articles section...

Thanks,
James

Dismounted 03-29-2009 03:52 AM
The security token is not stored anywhere - it is dynamically generated from other variables (e.g. time, user ID, etc.). (It is only needed on POST forms/requests.)

The session hash (SESSIONURL) is needed when the user does not have cookies enabled - it is empty otherwise.

JamesAB 03-29-2009 05:20 AM
I'm far from a javascript expert (I'm a PHP guy) and I've been trying to give myself a crash couse in Yahoo/YUI this week. That's why I've been asking for help and assuming it was my mistake, but I'm finally coming to the conclusion that this is probably a YUI quirk.

I haven't found any documentaion on this yet, but it appears that the first half of the POST vars on this uploader have to be string literals. You CANNOT use any varibles here...or at least I can't get the simpliest example to work.

If it's true, this would explain why I can't get any version to work with the SESSIONURL variable added either.

Code:
// THIS WORKS
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php",
                "POST",
                {"do":"doupload",
                "albumid":jababumid,
                "jabuniquezip":jabuniquezip,
                "securitytoken":SECURITYTOKEN},
                "upload");
as opposed to

Code:
// THIS DOES NOT WORK
var vbsessionurlsecuritytoken = "securitytoken";
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php",
                "POST",
                {"do":"doupload",
                "albumid":jababumid,
                "jabuniquezip":jabuniquezip,
                vbsessionurlsecuritytoken:SECURITYTOKEN},
                "upload");
With the second version, when a variable is used instead of the actual string, I get a CSRF error.

Am I missing something?
Or should I give up on this?

Thanks,
James

TigerC10 03-29-2009 05:44 AM
Just for giggles, try:

Code:
var vbsessionurlsecuritytoken = "securitytoken";
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php",
                "POST",
                {"do":"doupload",
                "albumid":jababumid,
                "jabuniquezip":jabuniquezip,
                vbsessionurlsecuritytoken.valueOf():SECURITYTOKEN},
                "upload");
The .valueOf() method will return the primitive value of the string, which might be substitutable for the literal value.




Quote:
Originally Posted by Dismounted (Post 1779494)
The security token is not stored anywhere - it is dynamically generated from other variables (e.g. time, user ID, etc.). (It is only needed on POST forms/requests.)

The session hash (SESSIONURL) is needed when the user does not have cookies enabled - it is empty otherwise.
Really? That's good to know, but then why does every submission form append the session to the post in a hidden type?

JamesAB 03-29-2009 04:41 PM
Thanks for the suggestion TigerC10.

I just tried using vbsessionurlsecuritytoken.valueOf() instead and the javascript would not even run properly.

I'm going to ask about this over at the Yahoo's YUI group too. It just seems odd or at least inconsistent that the POST vars format evaluates one way (as expected) with YAHOO.util.Connect.asyncRequest, but they seem to be treated differently with the YUI uploader.

In the meantime I'd like to evaluate the situation of not using SESSIONURL as part of the uploader's POST vars and just using "securitytoken":SECURITYTOKEN which works for me.

How often would this not work? Or exactly which users would be effected?
Is it only users that don't have cookies enabled?

Thanks,
James

Dismounted 03-30-2009 04:22 AM
Quote:
Originally Posted by TigerC10 (Post 1779541)
Really? That's good to know, but then why does every submission form append the session to the post in a hidden type?
I don't understand what you're trying to say?


All times are GMT. The time now is 06:23 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01116 seconds
  • Memory Usage 1,759KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_code_printable
  • (1)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete