YUI and vB SESSIONURL question

[JamesAB]

I'm trying to use the YUI uploader with a vBulletin script, but I'm having trouble with SESSIONURL.

This works for me without SESSIONURL:

Code:

function upload() {
     if (fileID != null) {
	uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php", 
	                "POST", 
	                {"do":"doupload", 
		"albumid":jababumid, 
		"jabuniquezip":jabuniquezip,
		"securitytoken":SECURITYTOKEN}, 
		"upload");
	}	
}

However, I think I should be using SESSIONURL with securitytoken.

When I change the line to:

Code:

SESSIONURL + "securitytoken":SECURITYTOKEN},

Now I get a javascript error.

Is SESSIONURL supposed to be empty or NULL sometimes?

Any ideas or advice?

Thanks,
James

[TigerC10]

SESSIONURL is supposed to be empty all the time. The only time it gets used is when vBulletin has a problem with storing the Session Hash in the cookies. Instead of using SESSIONURL, try pulling the SessionHash from the cookies.

PHP Code:

$vbulletin->input->clean_array_gpc('c', array(
//COOKIE_PREFIX.'userid' => TYPE_UINT,
//COOKIE_PREFIX.'password' => TYPE_STR,
//COOKIE_PREFIX.'styleid' => TYPE_UINT,
//COOKIE_PREFIX.'lastactivity' => TYPE_UINT,
//COOKIE_PREFIX.'lastvisit' => TYPE_UINT,
//COOKIE_PREFIX.'cpsession' => TYPE_STR,
COOKIE_PREFIX.'sessionhash' => TYPE_STR
));

$sessionhash = $vbulletin->GPC[COOKIE_PREFIX.'sessionhash']; 


Then you can use the $sessionhash variable in place of SESSIONURL, or define SESSIONURL to be $sessionhash, you know - whatever.

[JamesAB]

Okay. So from a security point of view, do I need SESSIONURL when passing an upload post from YUI to my PHP script?

There doesn't seem to be any official vBulletin/YUI guides yet. I've only found the stock reply indicating that connections should be called with this format.

Code:

YAHOO.util.Connect.asyncRequest('POST', scriptpath + '?do=ajax', {
	success: this.handle_ajax_response,
	failure: this.handle_ajax_error,
	timeout: vB_Default_Timeout,
	scope: this
}, SESSIONURL + 'securitytoken=' + SECURITYTOKEN + '&foo=' + foo);

This works for me using SESSIONURL as part of the request, but as I mentioned above it isn't working with the YUI uploader example I posted.

Bottom line, do I need to find a way to incorporate SESSIONURL (or $sessionid as TigerC10 suggested) with YUI's uploader in order to fully take advantage of vBulletin's CSRF protection scheme?

Or will using SECURITYTOKEN alone suffice?

Thanks,
James

[TigerC10]

I typoed that, $sessionid was supposed to be $sessionhash, I fixed my previous post. See my code sample for how to get at it.

I believe that the security token is matched up to the value in the database based on the session, so you do need it.

[JamesAB]

Thanks for your help TigerC10.

I'm still trying to understand why they are recommending

Code:

SESSIONURL + 'securitytoken=' + SECURITYTOKEN

versus simply

Code:

'securitytoken=' + SECURITYTOKEN

if SESSIONURL is normally empty.

As I found out above with the YUI uploader

Code:

"securitytoken":SECURITYTOKEN

works (for me) with CSRF enabled , but

Code:

SESSIONURL + "securitytoken":SECURITYTOKEN

gives me a javascript error.

Maybe I'll have to ask this same question in the CSRF thread in the articles section...

Thanks,
James

[Dismounted]

The security token is not stored anywhere - it is dynamically generated from other variables (e.g. time, user ID, etc.). (It is only needed on POST forms/requests.)

The session hash (SESSIONURL) is needed when the user does not have cookies enabled - it is empty otherwise.

[JamesAB]

I'm far from a javascript expert (I'm a PHP guy) and I've been trying to give myself a crash couse in Yahoo/YUI this week. That's why I've been asking for help and assuming it was my mistake, but I'm finally coming to the conclusion that this is probably a YUI quirk.

I haven't found any documentaion on this yet, but it appears that the first half of the POST vars on this uploader have to be string literals. You CANNOT use any varibles here...or at least I can't get the simpliest example to work.

If it's true, this would explain why I can't get any version to work with the SESSIONURL variable added either.

Code:

// THIS WORKS
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php", 
                "POST", 
                {"do":"doupload", 
		"albumid":jababumid, 
		"jabuniquezip":jabuniquezip,
		"securitytoken":SECURITYTOKEN}, 
		"upload");

as opposed to

Code:

// THIS DOES NOT WORK
var vbsessionurlsecuritytoken = "securitytoken";
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php", 
                "POST", 
                {"do":"doupload", 
		"albumid":jababumid, 
		"jabuniquezip":jabuniquezip,
		vbsessionurlsecuritytoken:SECURITYTOKEN}, 
		"upload");

With the second version, when a variable is used instead of the actual string, I get a CSRF error.

Am I missing something?
Or should I give up on this?

Thanks,
James

[TigerC10]

Just for giggles, try:

Code:

var vbsessionurlsecuritytoken = "securitytoken";
uploader.upload(fileID, "http://tforum.mydomain.com/uploadzip.php", 
                "POST", 
                {"do":"doupload", 
		"albumid":jababumid, 
		"jabuniquezip":jabuniquezip,
		vbsessionurlsecuritytoken.valueOf():SECURITYTOKEN}, 
		"upload");

The .valueOf() method will return the primitive value of the string, which might be substitutable for the literal value.

Quote:

Originally Posted by Dismounted

The security token is not stored anywhere - it is dynamically generated from other variables (e.g. time, user ID, etc.). (It is only needed on POST forms/requests.)

The session hash (SESSIONURL) is needed when the user does not have cookies enabled - it is empty otherwise.

Really? That's good to know, but then why does every submission form append the session to the post in a hidden type?

[JamesAB]

Thanks for the suggestion TigerC10.

I just tried using vbsessionurlsecuritytoken.valueOf() instead and the javascript would not even run properly.

I'm going to ask about this over at the Yahoo's YUI group too. It just seems odd or at least inconsistent that the POST vars format evaluates one way (as expected) with YAHOO.util.Connect.asyncRequest, but they seem to be treated differently with the YUI uploader.

In the meantime I'd like to evaluate the situation of not using SESSIONURL as part of the uploader's POST vars and just using "securitytoken":SECURITYTOKEN which works for me.

How often would this not work? Or exactly which users would be effected?
Is it only users that don't have cookies enabled?

Thanks,
James

[Dismounted]

Quote:

Originally Posted by TigerC10

Really? That's good to know, but then why does every submission form append the session to the post in a hidden type?

I don't understand what you're trying to say?