The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
How to control which cookies are used.
I'm working on a project that requires a separate login with a password different from the usual forum one. Since the browser automatically fills in the password input on any login form with the usual one, I want to read a cookie and fill the special password in with JavaScript. The trouble is that the password cookie is among the request cookies when the form is submitted, as well as in other pages in my project. I've looked at regular forum pages and they don't show the cookie there (showthread for instance).
So how do you control which cookies are listed in the request for various pages? The cookie for the special password is used only on the browser to fill in the password input and is not read by the server scripting. |
#2
|
|||
|
|||
Quote:
|
#3
|
|||
|
|||
I edited the post for clarity.
But to restate, I checked in the Chrome developer tool and I could see the password cookie listed under request cookies, so it would be available on an unsecure connection and someone could hijack with it. The cookie is set with JavaScript and read only by JavaScript, so why does the server know anything about it? |
#4
|
|||
|
|||
@nerbert.
1.) Is this new cookie being created under vbulletin or outside of vbulletin. 2.) Are you altering the vbulletin JavaScript to fill in this new/modified cookie. 3.) Is this being done for a dual package login? I am asking this.. because I have just about done everything with the vbulletin password/authentication code. We use LDAP, and I modified vbulletin to handle LDAP and other external protocols we use for authentication. I am going to dinner, but then I will try to refresh my memory about all this. Maybe a bit of psuedo code on your part, will help me grasp what you are looking for. For some stupid reason (me being the stupid one), I am missing what your looking for. I see all the vbulletin cookies on showthread. |
#5
|
|||
|
|||
The project I'm working on is a file manager inside the admin CP. You have to have permission to use it and it requires a special password. Here's the script I have in the login form to set the password cookie when you type it in the first time.
Code:
<script> var password = fetch_object('fm_login_password'); window.onload = function(){setTimeout("if(PassWord = fetch_cookie('fmpassword')) {password.value = PassWord; password.focus();}", 100)} password.form.onsubmit = function() { var d=new Date(); d.setMonth(d.getMonth()+2); set_cookie('fmpassword', password.value, d); } </script> If the cookie were set using PHP you could set the path but there's no way to do that when you use JS, so I would think it would show for all the regular pages and the admin cp and file manager. Since it shows only in file manager pages and requests there must be some other way vBulletin decides which cookies to send. |
#6
|
|||
|
|||
I found this page which shows how to set the cookie domain and path from javascript: http://www.thesitewizard.com/javascripts/cookies.shtml. You might be able to limit when the cookies are sent, but I'm guessing that if you set the domain and path to something other than where the page was loaded from, it would either be an error or you won't be able to access them next time.
The automatic password fill-in feature must work based on url and password field name, maybe you can somehow change the name of the password text field when you're requesting your fm password. |
#7
|
|||
|
|||
I thought it should be possible to set path and domain with JS but what I read at w3schools suggested you can set only name, value and expires, and the vB function does only that much.
I'll give this a try with the path set to a non-existent page so the server never reads it. I would assume JS can get any cookie it has stored regardless what page it's on. Thanks |
#8
|
|||
|
|||
Maybe, but it kind of seems like that would be a security risk, since you could easily write JS for your page that reads all cookies and sends them to your server.
|
#9
|
|||
|
|||
Quote:
I don't really know what a request cookie is all about, I suppose you could compare the values sent with the values stored for some sort of security check. Somewhere vB specifies a cookie header (or fails to prevent a default one being sent). I have no idea how to change that. |
#10
|
||||
|
||||
Cookies are limited for security reasons (by browsers, not vBulletin). The cookie path is supposed to be a folder, like /forum/ etc. Cookies can only be set for the explicit domain (www.domain.com, abc123.domain.com), or for a domain and all subdomains (*.domain.com) they don't work cross domains, for example if you had a cookie on www1.domain.com and then tried to use it on www2.domain.com without configuring a full cookie domain setting, then it wouldn't work.
You also can't share cookies across domain1.com and domain2.com |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|