Single Signin via Key

[clykclyk]

I've been searching but can't find a solution for what I need. However, if there is one please feel free to post a link.

So, here's what I'm trying to do...

I've got a Java application that will have a link to the vBulletin forums.
The link looks like this:
http://domain.com/signon.php?hash=rand128charkey

The random 128 character key is inserted into an extra database table I've created called vb_hash which stores the 128 char key, username and timestamp. Now, the purpose of this is to authenticate via the KEY not via a login page that is displayed. I'm trying to make the login transparent. The Java app will handle registering the users and initially authenticating them but the movement to the vbulletin forums has to be transparent, silent and present NO user credentials that malicious persons could extract for later use.

To achieve this my thought was to first verify the URL key against the one stored in the database table prior to redirecting to the signon.php script. Then to check the timestamp against now() to make sure its within a given ttl.

If that verification succeeds, the username stored in vb_hash is searched for in vb_users. With that, session variables, cookies, etc. would be created and then the script does a header() redirect to the forums. This way by the time the visitor gets to the forums they are already logged in and don't have to refresh or anything like that.

Here is what I need help with...
Now, I have this entire thing built but I can't seem to figure out how vBulletin qualifies a logged in user. Meaning is it a particular set of session variables and if so what and where are they?
Is it cookies?

If someone could explain the specifics of what vBulletin uses to qualify a user and tell me how I can manually log a user in without their password...using the key. If someone could also point me to the block of code in vb that does this that would be helpful as well. I've checked includes/functions_login.php and login.php but there must be some underlying code thats doing this and I haven't found it yet. I need to know what session or cookie values I can set and where those are set in the production code so I can mimic the authentication behavior manually.

Any help is greatly appreciated.

As far as security, no user information is ever provided in the URL or form redirection... it all has to be silent & server side. The only thing displayed is a random 128 character string that has nothing to do with the user and is deleted after its used the first time. The TTL would serve as a backup to address a borked process where someone captured the URL and it would be too short to do anything. Like 10 seconds.

Thanks,
Kyle

[clykclyk]

I found a solution on my own to address this. Rather annoyed that this still has no response. Oh well.

[wwdj]

Maybe you can help me/us with your solution?

[clykclyk]

Steps:
1.) create the script
2.) create the MySQL table
3.) OPTIONAL: create the cron job

...keep reading


First... create a script called signon.php and drop it in the forums/ sub directory where vBulletin is created and put the following code in it...

PHP Code:

<?php

/*###################################################################################
DATE: 10/29/2007
WRITTEN BY: clykclyk
PURPOSE: Single Sign-on solution for vBulletin.
###################################################################################*/

// file where $dbhost, $dbuser, $dbpass & $dbname MySQL variables are stored.
include("common.php");

//Check if there is a HASH passed in the URL.
if($_GET['hash'] && strlen($_GET['hash']) == 128){
  $gethash = $_GET['hash'];

  // Connect to the database
  mysql_connect($dbhost,$dbuser,$dbpass) or die(mysql_error());
  mysql_select_db($dbname);

  // SELECT values from vb_hash table for comparison
  $result = mysql_query("SELECT generatedid,expireson,userid FROM vb_hash WHERE generatedid='$gethash'") or die(mysql_error());
  $row = mysql_fetch_row($result);

  // We have what we need so DELETE the record from vb_hash so it can't be used again
  mysql_query("DELETE FROM vb_hash WHERE generatedid='$gethash'") or die(mysql_error());

  // Grab the user's values from the vb_user table for use in setting the session cookie prior to redirect
  $result1 = mysql_query("SELECT userid FROM vb_user WHERE email='".$row[2]."'") or die(mysql_error());
  $user = mysql_fetch_row($result1);

  // If HASH passed in URL matches the value from the vb_hash database then proceed.
  if($gethash == $row[0]){
        // Establish timestamps in friendlier format for comparison
        $timestamp = strtotime($row[1]);
        $now = strtotime('now');

        // Evaluate TTL
        if($timestamp > $now) {

                // Define values per vBulletin global scope
                define('THIS_SCRIPT', 'login');
                define('VB_AREA', 'Subscriptions');

                // Include required files from vBulletin so we can use the vbsetcookie() OR process_new_login() functions depending on preference.
                require("global.php");
                require("includes/functions_login.php");

                $vbulletin->userinfo['userid'] = $user[0];
                process_new_login('', true, '');
        }
  }
}

// now just redirect (in all cases)
exec_header_redirect($vbulletin->url);

?>

Second... create the MySQL db table called vBulletin.vb_hash like so...

CREATE TABLE `vb_hash` (
`generatedid` varchar(128) NOT NULL default '',
`expireson` timestamp NOT NULL default CURRENT_TIMESTAMP,
`userid` varchar(100) NOT NULL default '',
UNIQUE KEY `generatedid` (`generatedid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


third... We then had a cron job that would work behind the scenes every 2 minutes and delete any entries passed the expired time. For some folks this step can be considered over kill as the signon.php script will delete the entry in the database once it has been used but for us this step ensured that IF by some freak chance the embedded browser did not open after the database had been populated it would still kill the entry so that the URL cannot be captured and used later.

I don't have this script handy so I am not able to provide it but in short its just a bash script that executes a MySQL query to DELETE FROM vb_hash WHERE expireson > now();

OTHER INFO:
The URL string to pass to this is:
signon.php?hash=<128_character_string>

In our case the Java applet which provided the link to the user would upon clicking the link...
1.) populate the vb_hash table with the 128 character string, expire timestamp and userid of the logged in user
2.) send the User to the link via an embedded browser window.

We set our expireson timestamp to 1 minute which is far longer than needed to click a link and execute the result so the cron job ran at twice that time... this way even if the entry did live passed the execution of the signon.php script it would be removed promptly and not linger in the database.

NOTE: Consequently, because our Java application was initially handling the authentication it was also handling the registration so the registration in vBulletin was disabled and when the Java application registered a new user it would populate the vb_user, vb_userfield, and vb_usertextfield tables the same way vBulletin does natively.

SIDE NOTE: To test which tables are changed for yourself upon registration, do a directory listing with file sizes on the raw MySQL files as a control. Then register a user and do another directory listing...then just diff the 2 and see what changed. That gives you the tables that are modified. From there you can see what was entered for the user you just registered.

Happy New Year!

--------------- Added [DATE]1199242299[/DATE] at [TIME]1199242299[/TIME] ---------------

One more added note regarding the login...
There are 2 ways to make vBulletin recognize an authenticated user,

vbsetcookie() and process_new_login().

We opted to use process_new_login() because our embedded browser would not allow us to set cookies in this way but you can just as easily use vbsetcookie().

If you'd rather use vbsetcookie() then here is the code to replace in the previous code:

REPLACE:

PHP Code:

         // Set the session cookie values using the process_new_login() function
                $vbulletin->userinfo['userid'] = $user[0];
                process_new_login('', true, ''); 


WITH:

PHP Code:

         // Set the session cookie values using the vbsetcookie() function
          vbsetcookie('userid', $user[1], true, true, true);
          vbsetcookie('password', md5($user[0] . 'VBxxxxxx'), true, true, true); 


[Dismounted]

Just a quick note to other users, in the last example, "VBxxxxxx" is your license ID.

@clykclyk: I've removed it for you for security purposes.

[clykclyk]

Ouch, I completely missed that.

Thank you for catching it.