vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   How to force user to log in again when he/she enters user cp? (https://vborg.vbsupport.ru/showthread.php?t=251427)

ART 09-30-2010 04:27 PM
How to force user to log in again when he/she enters user cp?
 
I have some sensitive private data userfields in my user profiles.

I want to force a user to log in again to access at least his/her profile edit page (or force log out and show again log in form before accessing this page).

When somebody has the "remember me" option set it is very likely that he/she leaves an opened session in a public place and somebody can view this data, read his/hers PMs and so on.

How can I accomplish that on vb38x?

deleting user session in DB alone does not work - I have to reset user's cookies, too I believe. This snippet put into init_startup hook does not work:

PHP Code:
$logout_time $vbulletin->input->clean_gpc('c'COOKIE_PREFIX 'nextlogout'TYPE_UINT);

if (TIMENOW $logout_time)
{

    // clear authentication cookies
    vbsetcookie('sessionhash''');
    vbsetcookie('userid''');
    vbsetcookie('password''');

    // set next clear time
    vbsetcookie('nextlogout'TIMENOW 900); // 900 = 15 min

Maybe I'm missing something... any hints appreciated :)

kh99 09-30-2010 11:18 PM
I'm not sure I completely understand what you're trying to do, but I think vbsetcoookie sets the cookies to be returned, which won't be seen until the next page load. Maybe what you want to do is also clear $vbulletin->GPC[COOKIE_PREFIX . 'sessionhash'].

ART 10-01-2010 11:01 AM
Thanks kh99,

lets say I have here:

https://vborg.vbsupport.ru/profile.php?do=editprofile

a private profile user field with a user's home address or whatever sensitive data.

I would like to make this area more secure, as I said, when a user logs in on a public computer and forgets to log out, somebody else can easy access https://vborg.vbsupport.ru/profile.php?do=editprofile and see the data which is supposed to be private.

In other words - i'd like to make the usercp area secure as modcp or admincp area which requires logging in after certain inactivity time ignoring the ticked "Remember me" option.

kh99 10-01-2010 12:15 PM
Sorry - I did get what you were trying to do, I guess what I meant was that I'm not sure exactly how you were planning to do it.

ART 10-01-2010 12:46 PM
Ah, sorry, my English is not that good as I thought. I did some (I believe) extensive search to find something helpful, but failed. Thanks for help.

Maybe there is a modification that uses the vbulletin core (include global.php) and for its purposes resets a user's session and requires him to log in again for security reasons to access its pages - then i suppose i would find an answer within that mod/hack.

kh99 10-01-2010 01:30 PM
No, it's my English - I didn't say what I meant.

I know there's one place in vBulletin where it asks you to log in again - that's when you try to use "delete as spam" on a post (around line 137 in inlinemod.php). It seems to use show_inline_mod_login() and inlinemod_authenticated() which are in includes/modfunctions.php. These can't be used directly (because they check for moderating permissions) but maybe you can figure out how they work and adapt them.

Lynne 10-01-2010 01:36 PM
vB forces moderators to log in again during their session to do inline moderating (if the admins have that option on), so why not check out that code?

ART 10-01-2010 03:01 PM
hA! thanks, good trace I suppose, I'll check that out.


All times are GMT. The time now is 02:29 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01030 seconds
  • Memory Usage 1,730KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete