Unique Authentication System across all website/s

[kippesp]

My forums currently consist of 4 vBulletin forums each running vb2 code. There are two domains with one domain having 3 forums. The mod we made for vb2 centralized some tables into a shared database. The tables included user, userprofile, usergroups, privatemessage and about 6 others. This permits our users to have one username/password combination and use it across each of our 4 forums.

Since one forum uses a different domain, they won't be logged on automatically if they were logged on using the other domain. However, if they stay in the same domain, they will remain logged in when they are using cookies.

Who cares about vb2.... Well, that was our starting point. I've made similar modifications already for vbulletin 3 code. I've tested my changes that share about 20 tables.

How much to share depends on your implementation. For example, we opted to share calendar and holiday data. Others may not want that shared.

We've abandoned our need for this modification. I've already put in over 100 hours towards this modification, but we're doing something else. So far, the modification is over 900 lines.

As far as the cookie issue discussed, I did have to change that area as well since it depends on the license number. And with multiple license numbers, I needed something common. Problem solved.

I also added a flag to "unshare" the tables. This is required anytime you want to upgrade your forums. Otherwise, updating may fail depending on what changes the vBulletin update script makes.

I also have not completed necessary admin/mod panel modifications. Fox example, if you delete a user in one forum, the other forums would need to have posts removed if that is what you want. Birthday cron messages should only go out for one forum. These backend features are where I left off.

Are you a programmer who could take what I have and use it for your own modification? I can't justify continuing to make this modification since I no longer need it.

I guess PM me if you want to work something out. It would probably be best if I just handed my work (as a diff file) over to you and let you continue it from here.

Unless you're a programmer, I wouldn't advise using this modification. We've used it on vb2 for 3 years with vb2. This and other modifications caused many, many months delay in implementing a vbulletin 3 solution. And in the end, we're having to go a different route. Further, each time a new version of vBulletin is released, at least one hour of patching and verification is required. I've improved my efficiency in upgrading, but every time I must look at the changes and think through how it impacts a shared user environment--specifically looking for new queries or changes to existing tables/queries. If you don't do these things, you may encounter problems. To those users who say, "I upgraded in 5 minutes thanks to Beyond Compare." I say, "More power to ya, buddy!"

[CarlitoBrigante]

thanks all for replying. I will think of something else to do it!

Quote:

Originally Posted by CarlitoBrigante

thanks all for replying. I will think of something else to do it!

I was just thinking of one thing. Please follow me, and tell me if this could help:

1 - two different domains need the same user authentication. They are mywebsite1.com and mywebsite2.com.
2 - I have another website, named mynetwork.com. I create virtual subdomains web1.mynetwork.com and web2.mynetwork.com, redirecting respectively to mywebsite1.com and mywebsite2.com.
3 - Now, if I try to set a cookie from mywebsite1.com for *.mynetwork.com, would it work on both websites?

Thanks!

Had another idea... but maybe it's not doable.

What if I include an image in all my websites coming from the same forum's domain. Let's say I have mywebsite2.com and in it I put something like

include("http://mywebsite1.com/printimage.php");

This script will print an image AND will set a cookie for mywebsite2 when the user login in mywebsite2...

[Reevo]

Quote:

Originally Posted by CarlitoBrigante

1 - two different domains need the same user authentication. They are mywebsite1.com and mywebsite2.com.
2 - I have another website, named mynetwork.com. I create virtual subdomains web1.mynetwork.com and web2.mynetwork.com, redirecting respectively to mywebsite1.com and mywebsite2.com.
3 - Now, if I try to set a cookie from mywebsite1.com for *.mynetwork.com, would it work on both websites?

If you had all the forums installed as subdomains, I think I'm correct in saying that you could share the cookies across them, but it's possible that the login script would need to sit on the main domain.

For instance, I think example.com can create cookies which are accessible by *.example.com (site1.example.com, site2.example.com, etc..) but site1.example.com cannot create cookies for site2.example.com.

Therefore, the best way I can see of doing this is to create a master login script on example.com, then modify all forums to redirect to this script when a login is required. Obviously this doesn't address the shared user database issues you may encounter.

Quote:

Originally Posted by CarlitoBrigante

Had another idea... but maybe it's not doable.

What if I include an image in all my websites coming from the same forum's domain. Let's say I have mywebsite2.com and in it I put something like

include("http://mywebsite1.com/printimage.php");

This script will print an image AND will set a cookie for mywebsite2 when the user login in mywebsite2...

I think you're confusing a few techniques here. A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:

Code:

<?

echo '<img src="http://www.site1.com/login_image.php?username=' . $_POST['username'] . '&password=' . $_POST['password'] . '" />';

?>

Without testing this, I couldn't say if this poses any security risks, but I would favour the master login script method I mentioned above.

Something worth remembering is that if you use PHP to include a file from an external webserver, it will make an HTTP request for that file, which means the file will be executed by PHP on the other server in the same way it would be if you were browsing to it - the diffence is that the "browser" in this case will be your webserver, and not the user, thus any cookies that are set will not go to the user's browser. Also, your server will only see the results of the script after it has been executed on the other server, so will not have access to any of the functions defined within that file.

Hope this all makes sense, and helps

Paul.

[CarlitoBrigante]

Quote:

Originally Posted by Reevo

If you had all the forums installed as subdomains, I think I'm correct in saying that you could share the cookies across them, but it's possible that the login script would need to sit on the main domain.

For instance, I think example.com can create cookies which are accessible by *.example.com (site1.example.com, site2.example.com, etc..) but site1.example.com cannot create cookies for site2.example.com.

Therefore, the best way I can see of doing this is to create a master login script on example.com, then modify all forums to redirect to this script when a login is required. Obviously this doesn't address the shared user database issues you may encounter.




I think you're confusing a few techniques here. A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:

Code:

<?

echo '<img src="http://www.site1.com/login_image.php?username=' . $_POST['username'] . '&password=' . $_POST['password'] . '" />';

?>

Without testing this, I couldn't say if this poses any security risks, but I would favour the master login script method I mentioned above.

Something worth remembering is that if you use PHP to include a file from an external webserver, it will make an HTTP request for that file, which means the file will be executed by PHP on the other server in the same way it would be if you were browsing to it - the diffence is that the "browser" in this case will be your webserver, and not the user, thus any cookies that are set will not go to the user's browser. Also, your server will only see the results of the script after it has been executed on the other server, so will not have access to any of the functions defined within that file.

Hope this all makes sense, and helps

Paul.

Hello,

thanks for clearing things up a bit! No, unfortunately, not all domains are subdomains, I have also completely different domains, so I guess I cannot use the main login script approach you suggested...

Quote:

Originally Posted by CarlitoBrigante

Hello,

thanks for clearing things up a bit! No, unfortunately, not all domains are subdomains, I have also completely different domains, so I guess I cannot use the main login script approach you suggested...

How does the image thingy work exactly?

[steve@dvdlard]

Quote:

Originally Posted by KirbyDE

This is a FAQ and has been answered over and over agein already

Column password in table user is md5(md5('PlaintextPassword'), salt).

Does this help you?

Bit of a long shot but does anyone know If I can reproduce the password in VB.Net. I'm trying to create a 'Post a Comment' link on another site which is .Net, tried all sorts of variations of MD5 but the resulting hash code is never the same as the database.

[CarlitoBrigante]

Quote:

Originally Posted by steve@dvdlard

Bit of a long shot but does anyone know If I can reproduce the password in VB.Net. I'm trying to create a 'Post a Comment' link on another site which is .Net, tried all sorts of variations of MD5 but the resulting hash code is never the same as the database.

I had another idea - please let me know if this may lead to some problems -

1) I have mysecondarywebsite.com;
2) user insert his username/password;
3) he is sent to mymainwebsite.com with username and password as _POST data. They are checked against vb database. If correct, cookies are set. He is sent back to mysecondarywebsite.com;
4) his cookies are verified again at mysecondarywebsite.com and set also for that domain.

The problem is that if I have more than one website it is going to be a mess.

Then, another thing I could do is to put all the forms processing pages to insert data, together with the main login script, on mymainwebsite.com. When the user enters a value on mysecondarywebsite.com or on mythirdwebsite.com, he is redirected to a script on mymainwebsite.com with all info he has submitted as POST data. Now, in this script I will check also for identity of the user before inserting data...

[CarlitoBrigante]

Quote:

Originally Posted by Reevo

A way round the multi-site login problem could be to create a login script which can accept the username and password as GET info (part of the URL string) rather than POST info, and put this on each site. Then, in the login handler template, you'd have something along the lines of:

In the end, this seems the easiest solution but I am concerned about security. Can somebody tell me which kind of security holes this may open?

Thanks!

[Tekton]

I don't see how it would be a problem if you had multiple vB copies (legal) and just used ONE of the copies accross all of the sites. Link them all to the same database, and just go from there.

[rhysgriffiths]

Hi,

I'm not an expert on this subject but i may have a solution.

Why don't you point all your domains to one domain with several licenced vb3's on that server, each in separate directory's and seperate databases?

Could the cookie monster work then?

[auz1111]

Has anybody ever come up with a working solution? I would love to have many VB sites that use just the same user table!