Login from external app without any redirect

[budget_ben]

I've tried to read the great variety of login/redirect threads on the board but haven't found anything akin to what I'm trying to do.

I have a flash app that accesses a wide variety of server-side data via php scripts. What I am attempting is to allow the user to 'log in' via the flash application residing on the same server. I put the 'log in' in quotes only because I'm not expecting the user to be able to browse the forums via my wee app, I just need to authenticate a username/password combo and acquire a valid session.

A brief rundown of the sequence of events:
1. user is playing with the flash app and would like to save his/her progress.
2. a dialog box prompts for the username and password.
3. I do a POST to https://mysite.com/handleLogin.php
4. the php page validates the provided data and returns a 'go/no go' string to the flash app.

The problem I am running into is that the login code below does not work without using the do_login_redirect() function. With the correct username and password, it will return 'true' for a success but I'm not really logged in - when I browse to the forum index.php it acts as if I have not logged in.

Code:

function validateLogin( $username, $password )
{
	global $vbulletin;
	
	$vbulletin->input->clean( $username, TYPE_STR );
	$vbulletin->input->clean( $password, TYPE_STR );
	
	$strikes = verify_strike_status($username);
	if ($strikes === false || $strikes >= 5)
	{
		return false; //locked out	
	}	

	if( !verify_authentication($username, $password, '', '', true, false) )
	{
		return $strikes + 1;	//fat-fingered the password?
	}
	else
	{
		//User and pw ok, let's log them in
		exec_unstrike_user($username);

		process_new_login('', true, '');
		
		//*****************************
		//	WHY MUST I REDIRECT?
		//*****************************
		//do_login_redirect();
		
		return true;	
	}
}

So now my questions (finally):
1. Does anyone know why there needs to be a redirect? Does it need one to properly set the cookie/active user list?
2. Is there a way around this?

I appreciate any help you folks can provide.

[Dismounted]

Cookies don't set unless a complete page load is presented to the browser. That is most likely the problem.

[budget_ben]

Thanks for the help - simply re-loading the page seemed to do the trick.

Here's a complete example for anyone else interested in using the forum database as general purpose user authentication.

Code:

<?php
// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/functions_login.php');
require_once(DIR . '/includes/functions_misc.php');

//returns FALSE if locked out, or the number of strikes, or TRUE for success
function validateLogin( $username, $password )
{
	global $vbulletin;
	
	$vbulletin->input->clean( $username, TYPE_STR );
	$vbulletin->input->clean( $password, TYPE_STR );
	
	$strikes = verify_strike_status($username);
	if ($strikes === false || $strikes >= 5)
	{
		return false; //locked out	
	}	

	if( !verify_authentication($username, $password, '', '', true, false) )
	{
		exec_strike_user($vbulletin->userinfo[ $username ]);
		return $strikes + 1;	//fat-fingered the password?		
	}
	else
	{
		//User and pw ok, let's log them in
		exec_unstrike_user($username);

		process_new_login('', true, '');
		
		return true;	
	}
}

if( isset($_POST['do']) && $_POST['do'] === 'login' )
{
	if( isset($_POST['username']) )
	{
		$username = $_POST['username'];
	}
	
	if( isset($_POST['password']) )
	{
		$password = $_POST['password'];
	}
	
	if( isset($username) && isset($password) )
	{
		//Attempt the login - input is cleaned in the function
		$result = validateLogin($username, $password);
	
		if( $result === true )
		{
			//Re-load this page to ensure all cookies are set
			exec_header_redirect('forumLoginTest.php');	
		}
		else if( $result === false )
		{
			echo("transaction=ERR_LOCKED_OUT");
		}
		else
		{
			echo("transaction=ERR_STRIKE&value=$result");	
		}
	}
	else
	{
		echo("transaction=ERR_PARSE");	
	}
}
else
{
	echo("transaction=ERR_NONE");
}

?>

[chaim_2003]

Thanks for this!

[jwm0z]

Reading this post helped me figure out why my session style (not cookie, cookie was fine) login was not working in an ajax function yet it was in a regular POST/redirect style flow.

A redirect is not explicitly needed, it is what happens during the redirect (exec_header_redirect()) which is needed. After looking through the code the reason it appears that a proper redirect is needed is that it eventually calls exec_shut_down() which saves the session.

I could not figure out why my session was not saved correctly with the user info inside and this is the reason.

So for a very simple login:

PHP Code:

$vbulletin->userinfo = fetch_userinfo($userid);
$vbulletin->session->created = false;
process_new_login($logintype = '', $cookieuser = false, $cssprefs = '');
exec_shut_down(); 


Thanks again for the 'redirect' tip-off, this has been pissing me off for about 2 days.

[Molech]

thanks guys, these posts were very helpful for me.

[otlayi]

Quote:

Originally Posted by jwm0z

Reading this post helped me figure out why my session style (not cookie, cookie was fine) login was not working in an ajax function yet it was in a regular POST/redirect style flow.

A redirect is not explicitly needed, it is what happens during the redirect (exec_header_redirect()) which is needed. After looking through the code the reason it appears that a proper redirect is needed is that it eventually calls exec_shut_down() which saves the session.

I could not figure out why my session was not saved correctly with the user info inside and this is the reason.

So for a very simple login:

PHP Code:

$vbulletin->userinfo = fetch_userinfo($userid);
$vbulletin->session->created = false;
process_new_login($logintype = '', $cookieuser = false, $cssprefs = '');
exec_shut_down(); 


Thanks again for the 'redirect' tip-off, this has been pissing me off for about 2 days.

You sir, are a badass. Replacing my do_login_redirect() with exec_shut_down() and then my own header('Location: /') worked PERFECTLY. Mad props :up: