Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-26-2013, 10:21 PM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default How to control which cookies are used.

I'm working on a project that requires a separate login with a password different from the usual forum one. Since the browser automatically fills in the password input on any login form with the usual one, I want to read a cookie and fill the special password in with JavaScript. The trouble is that the password cookie is among the request cookies when the form is submitted, as well as in other pages in my project. I've looked at regular forum pages and they don't show the cookie there (showthread for instance).

So how do you control which cookies are listed in the request for various pages? The cookie for the special password is used only on the browser to fill in the password input and is not read by the server scripting.
Reply With Quote
  #2  
Old 07-27-2013, 12:08 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
The trouble is that "cookie" is among the request cookies when the form is submitted, as well as other pages in my project.
I lost you here. In referring to "cookie" in this sentence, what cookie are you referring to. The rest of it, I think I get what you are up to. Is this new cookie being set, being written from vBulletin or outside of vB. Anyway, trying to help..
Reply With Quote
  #3  
Old 07-27-2013, 12:36 AM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I edited the post for clarity.

But to restate, I checked in the Chrome developer tool and I could see the password cookie listed under request cookies, so it would be available on an unsecure connection and someone could hijack with it. The cookie is set with JavaScript and read only by JavaScript, so why does the server know anything about it?
Reply With Quote
  #4  
Old 07-27-2013, 01:00 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@nerbert.

1.) Is this new cookie being created under vbulletin or outside of vbulletin.
2.) Are you altering the vbulletin JavaScript to fill in this new/modified cookie.
3.) Is this being done for a dual package login?

I am asking this.. because I have just about done everything with the vbulletin password/authentication code. We use LDAP, and I modified vbulletin to handle LDAP and other external protocols we use for authentication. I am going to dinner, but then I will try to refresh my memory about all this.

Maybe a bit of psuedo code on your part, will help me grasp what you are looking for. For some stupid reason (me being the stupid one), I am missing what your looking for. I see all the vbulletin cookies on showthread.
Reply With Quote
  #5  
Old 07-27-2013, 01:57 AM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The project I'm working on is a file manager inside the admin CP. You have to have permission to use it and it requires a special password. Here's the script I have in the login form to set the password cookie when you type it in the first time.

Code:
  
<script>
        var password = fetch_object('fm_login_password');
        window.onload = function(){setTimeout("if(PassWord = fetch_cookie('fmpassword')) {password.value = PassWord; password.focus();}", 100)}
        password.form.onsubmit = function() {
                var d=new Date();
                d.setMonth(d.getMonth()+2);
                set_cookie('fmpassword', password.value, d);
        }
</script>
So the browser sets the cookie and reads the cookie and the server should never even have the value. But as I said, different pages have different sets of request cookies. This one shows up in all my file manager requests but not in regular forum pages, cookies that show in forum pages do not show in file manager pages.

If the cookie were set using PHP you could set the path but there's no way to do that when you use JS, so I would think it would show for all the regular pages and the admin cp and file manager. Since it shows only in file manager pages and requests there must be some other way vBulletin decides which cookies to send.
Reply With Quote
  #6  
Old 07-27-2013, 10:37 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I found this page which shows how to set the cookie domain and path from javascript: http://www.thesitewizard.com/javascripts/cookies.shtml. You might be able to limit when the cookies are sent, but I'm guessing that if you set the domain and path to something other than where the page was loaded from, it would either be an error or you won't be able to access them next time.

The automatic password fill-in feature must work based on url and password field name, maybe you can somehow change the name of the password text field when you're requesting your fm password.
Reply With Quote
  #7  
Old 07-27-2013, 11:11 AM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I thought it should be possible to set path and domain with JS but what I read at w3schools suggested you can set only name, value and expires, and the vB function does only that much.

I'll give this a try with the path set to a non-existent page so the server never reads it. I would assume JS can get any cookie it has stored regardless what page it's on.

Thanks
Reply With Quote
  #8  
Old 07-27-2013, 11:14 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nerbert View Post
... I would assume JS can get any cookie it has stored regardless what page it's on.
Maybe, but it kind of seems like that would be a security risk, since you could easily write JS for your page that reads all cookies and sends them to your server.
Reply With Quote
  #9  
Old 07-27-2013, 01:11 PM
nerbert nerbert is offline
 
Join Date: May 2008
Posts: 784
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by kh99 View Post
Maybe, but it kind of seems like that would be a security risk, since you could easily write JS for your page that reads all cookies and sends them to your server.
Yes that seems to be the case. I looked at vBulletin's set_cookie() function and it does set the path to the default "/", so I wrote my own version that sets the path to "/nowhere.php". It successfully sets the cookie but my JS won't read it, and that doesn't seem to have anything to do with vBulletin's fetch_cookie() function, it seems to be built into the browser.

I don't really know what a request cookie is all about, I suppose you could compare the values sent with the values stored for some sort of security check. Somewhere vB specifies a cookie header (or fails to prevent a default one being sent). I have no idea how to change that.
Reply With Quote
  #10  
Old 07-27-2013, 07:20 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Cookies are limited for security reasons (by browsers, not vBulletin). The cookie path is supposed to be a folder, like /forum/ etc. Cookies can only be set for the explicit domain (www.domain.com, abc123.domain.com), or for a domain and all subdomains (*.domain.com) they don't work cross domains, for example if you had a cookie on www1.domain.com and then tried to use it on www2.domain.com without configuring a full cookie domain setting, then it wouldn't work.

You also can't share cookies across domain1.com and domain2.com
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:36 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04361 seconds
  • Memory Usage 2,260KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete