sessionurl question

[MoB Dudditz MD]

Can anyone tell me the difference between
$session[sessionurl]
and
$session[sessionurl_q]
?

Or point me in the direction of any information regarding these.
I have had random logout issues and wondering if these are the cause
being improperly added to my forum urls.

[Adrian Schneider]

link.php?$session[sessionurl]do=something
renders it as

link.php?do=something
link.php?s=(sid)&do=something

So that one ends with an ampersand, and requires the query string to be started (?) on the left.

link.php$session[sessionurl_q]

renders as

link.php
link.php?s=(sid)

so this one is for links that have no query string - it will start it automatically, and won't add the extra ampersand on the end.

[MoB Dudditz MD]

Are there certain links required to have one?
Such as the login.php or the private.php?

I have had complications with certain login abilities on
non-forum pages, especially through vBadvanced,
such as random logouts.

[Adrian Schneider]

The idea is if the user has cookies disabled, it will continue to keep them logged in.

If people are experiencing the random logouts, ask them if they have cookies enabled.

[DJiMPaCT]

thanks

[MoB Dudditz MD]

That explained alot.Thanks.
I'll have to back track my amateur coding technique and fix some links.
TY

[jerx]

Do you need to add the sessionurl to every link?

It looks like mod authors do not use it on links within their mods. Does it have good reason or did they forget it?

I think that some vb links do not have sessionurl either, eg the archive link in the footer. Why does that link not have the sessionurl?

How about links to external scripts? I assume it is incorrect to put sessionurl to those links, right? How about links to bridged scripts? I have bridged vb to coppermine gallery and coppermine checks if a user has logged into vb. Since using cookies had some issues, the bridge now extracts the session directly from the vb table.

[Dismounted]

Quote:

Originally Posted by jerx

Do you need to add the sessionurl to every link?

Yes, any page that uses the vBulletin engine.

Quote:

Originally Posted by jerx

It looks like mod authors do not use it on links within their mods. Does it have good reason or did they forget it?

People forget - or they don't know in the first place.

Quote:

Originally Posted by jerx

I think that some vb links do not have sessionurl either, eg the archive link in the footer. Why does that link not have the sessionurl?

Because there is no need for the session to carry over to the archive.

Quote:

Originally Posted by jerx

How about links to external scripts? I assume it is incorrect to put sessionurl to those links, right?

Yes, because only the vBulletin engine uses it.

Quote:

Originally Posted by jerx

How about links to bridged scripts? I have bridged vb to coppermine gallery and coppermine checks if a user has logged into vb. Since using cookies had some issues, the bridge now extracts the session directly from the vb table.

It will initiate the vBulletin engine somewhere in there, so yes.

[jerx]

Thank you very much for your quick and thorough reply!

I have some more questions. How do you determine if a link needs the sessionurl?

I think the bridge to coppermine does not initiate the vb engine. The aim of the bridge file was to connect to vb without "touching" the forum, meaning change any setting, change anything in the vb database tables or files. The original bridge file used the vb session cookie to recognize logged in users. This did not work 100%, because when the browser was closed and the user visited the gallery without entering the forum first, the user was classified as guest.

The original cookie code looked like this:

Code:

	// definition of how to extract id, name, group from a session cookie
	function session_extraction()
	{
		if (isset($_COOKIE[$this->cookie_name . 'sessionhash'])) {
			$session_id = addslashes($_COOKIE[$this->cookie_name . 'sessionhash']);
			
			$sql = "SELECT u.{$this->field['user_id']}, u.{$this->field['password']}, u.{$this->field['grouptbl_group_id']}+100 AS usergroupid FROM {$this->usertable} AS u, {$this->sessionstable} AS s WHERE s.{$this->field['user_id']}=u.{$this->field['user_id']} AND s.sessionhash='$session_id'";
			
			$result = cpg_db_query($sql, $this->link_id);
			
			if (mysql_num_rows($result)){
				$row = mysql_fetch_array($result);
				return $row;
			} else {
			    return false;
			}
		}
	}

	// definition of how to extract an id and password hash from a cookie
	function cookie_extraction()
	{
		return false;
	}

Now the direct session extraction from the vb db looks like this:

Code:

	function cookie_extraction()   {
		if (isset($_COOKIE[$this->cookie_name . 'userid'])) {
			$userFromCookie_id = addslashes($_COOKIE[$this->cookie_name . 'userid']);

			$sql = "SELECT u.{$this->field['user_id']}, u.{$this->field['password']}, u.{$this->field['grouptbl_group_id']}+100 AS usergroupid FROM {$this->usertable} AS u WHERE u.userid='$userFromCookie_id'";

			$result = cpg_db_query($sql, $this->link_id);

			if (mysql_num_rows($result)){
				$row = mysql_fetch_array($result);
				return $row;
			} else {
				return false;
			}
		}
	}

I think that therefore you do not have to add sessionurl to the gallery link, do you?

But I like to enhance the bridge. If users only enter the gallery a session should be stored, too, so that they won' t face the problem of being logged out in the middle of viewing the gallery and also to be able to display people in the gallery in who is online.

I think to achieve that you have to initiate the vb engine (eg by calling global.php) and linking with sessionurl should be mandatory again.

[Dismounted]

The correct way to use vBulletin's authentication system is to check the session hash (the first method) and update the session. The session hash is stored as a cookie. When cookies are disabled, it is passed along to every file through "sessionurl", hence the need for it.