Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Aug 2006
Posts: 6
Lurker
Lurker
Offline
Joined: Aug 2006
Posts: 6
I am working on programs which run seperate from UBB Threads but which incorporate the UBB threads membership data. I've had no problem figuring out the cookie that UBB threads sets and how to verify it against the w3t_Users data.

For that, I split the cookie. Find w3t_myid and w3t_key values, look up the U_Password field where the U_Number matches the w3t_myid cookie value. Then I take the values for the w3t_myid cookie and the value for the U_Password field and make an md5. If that md5 equals the w3t_key cookie value, the person is treated by my external programs as logged in.

My problem is that this will only work if when the forum member logs in s/he selects to be remembered and a cookie is set for w3t_key.

Looking at the w3t_Users fields, I see that a different md5 is set to the U_SessionID field. I believe if I can figure out how the value of that field is set that I could use it to see if a member is logged in, but I can not figure out how the value is arived at so I can not test for authentication.

Am I on the right track? Is there a better way to address this? Help and advice would be appreciated.

Sponsored Links
Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
It appear you are on the right track, tho most members choose the 'remember me' and stay logged in. The few scripts I am aware of that work with threads rely on just the cookie method and request that the user log in if the cookie can't be found.


- Allen wavey
- What Drives You?
Joined: Aug 2006
Posts: 6
Lurker
Lurker
Offline
Joined: Aug 2006
Posts: 6
Yep, most scripts rely only on the cookie.

Here is the real boggle. When you select Remember Me, a cookie is set with both the Find w3t_myid and the w3t_key. However, if you do not select Remember Me, a cookie is still set only the cookie only contains w3t_myid.

So this is how I figure the thing works. When you log in, if you choose Remember Me, you get a cookie that lets you get away with not loggin in the next time you visit. That cookie is persistant.

If you do not select Remember Me, you get a cookie that is not persistant and only has your user number.

If you arrive at the UBB site with a cookie that has both the w3t_myid and w3t_key, then it lets you in and might start tracking you via a server side method.

If you arrive at the UBB site without a cookie or with only the w3t_myid field, you are prompted for a username, password, and asked if you want to be remebered. Once you enter this information, one or the other cookie is set and the server side trackign method begins if you choose not to be remembered and probably starts even if you did say you wanted to be remembered.

Basicly, upon arrival at a UBB site there is some method to identify you as you (either a log in or a cookie with both fields). From there, a session ID is established. I am willing to bet it is stored in the W3T_Users table as U_SessionId (which is itself a MD5)

So then, someone logs in and the U_SessionID is filled with an MD5. Then when ever they do anything that requires it, their cookie (either one) is checked for the w3t_myid field. Once that field is retrieved, the U_SessionId is checked against SOMETHING.

There is my problem, there are SOOOOO many things that could be used to generate that session ID. The last thing I wrote that used a similiar system added up all of the envirnornmental variables (IP, OS, Browser, and bla bla) and then turned that into a session ID via MD5.

Ahhh, you see my boggle now. How exactly is that mystical number arrived at?

You are going to make me go do a word search on that field arent you?

Joined: Aug 2006
Posts: 6
Lurker
Lurker
Offline
Joined: Aug 2006
Posts: 6
Uggg, the session ID is a random number.

Joined: Mar 2000
Posts: 21,079
Likes: 3
I type Like navaho
I type Like navaho
Joined: Mar 2000
Posts: 21,079
Likes: 3
That explains why the others rely on the cookie smile


- Allen wavey
- What Drives You?
Sponsored Links
Joined: May 1999
Posts: 3,039
Guru
Guru
Offline
Joined: May 1999
Posts: 3,039
You should also get a cookie called w3t_mysess. That cookie should match the value in the U_SessionId field if the user is logged in without using the remember me key.


UBB.threads Developer

Link Copied to Clipboard
Donate Today!
Donate via PayPal

Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.

Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
Recommended Hosts
We have personally worked with and recommend the following Web Hosts:
Stable Host
bluehost
InterServer
Visit us on Facebook
Member Spotlight
badfrog
badfrog
somewhere on the coast of Maine
Posts: 94
Joined: March 2007
Forum Statistics
Forums63
Topics37,573
Posts293,925
Members13,849
Most Online5,166
Sep 15th, 2019
Today's Statistics
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
Top Posters
AllenAyres 21,079
JoshPet 10,369
LK 7,394
Lord Dexter 6,708
Gizmo 5,833
Greg Hard 4,625
Top Posters(30 Days)
Top Likes Received
isaac 82
Gizmo 20
Brett 7
WebGuy 2
Morgan 2
Top Likes Received (30 Days)
None yet
The UBB.Developers Network (UBB.Dev/Threads.Dev) is ©2000-2024 VNC Web Services

 
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20240506)