The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Single Signin via Key
I've been searching but can't find a solution for what I need. However, if there is one please feel free to post a link.
So, here's what I'm trying to do... I've got a Java application that will have a link to the vBulletin forums. The link looks like this: http://domain.com/signon.php?hash=rand128charkey The random 128 character key is inserted into an extra database table I've created called vb_hash which stores the 128 char key, username and timestamp. Now, the purpose of this is to authenticate via the KEY not via a login page that is displayed. I'm trying to make the login transparent. The Java app will handle registering the users and initially authenticating them but the movement to the vbulletin forums has to be transparent, silent and present NO user credentials that malicious persons could extract for later use. To achieve this my thought was to first verify the URL key against the one stored in the database table prior to redirecting to the signon.php script. Then to check the timestamp against now() to make sure its within a given ttl. If that verification succeeds, the username stored in vb_hash is searched for in vb_users. With that, session variables, cookies, etc. would be created and then the script does a header() redirect to the forums. This way by the time the visitor gets to the forums they are already logged in and don't have to refresh or anything like that. Here is what I need help with... Now, I have this entire thing built but I can't seem to figure out how vBulletin qualifies a logged in user. Meaning is it a particular set of session variables and if so what and where are they? Is it cookies? If someone could explain the specifics of what vBulletin uses to qualify a user and tell me how I can manually log a user in without their password...using the key. If someone could also point me to the block of code in vb that does this that would be helpful as well. I've checked includes/functions_login.php and login.php but there must be some underlying code thats doing this and I haven't found it yet. I need to know what session or cookie values I can set and where those are set in the production code so I can mimic the authentication behavior manually. Any help is greatly appreciated. As far as security, no user information is ever provided in the URL or form redirection... it all has to be silent & server side. The only thing displayed is a random 128 character string that has nothing to do with the user and is deleted after its used the first time. The TTL would serve as a backup to address a borked process where someone captured the URL and it would be too short to do anything. Like 10 seconds. Thanks, Kyle |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|