I have built a SSO (Single Sign-On) system for use between our main site and the Invision Power Board software but I'm not sure how to go about logging the user out of IPB when they log out from the main site?
Additionally, what files would I need to load in the external file to be able to do this?
Edit: to use IPB code for this, you have to include
require_once( IPS_ROOT_PATH . 'applications/core/modules_public/global/login.php' );
then to extend public_core_global_login and to call it's doLogout() method
for this to work you have to set $this->member->setMember( $member_id );
I, personally, have never done it this way, so bellow is how you can do it manually:
IPB sets the data in session and stores several cookies for auto-login. You can perform without using any IPB sources; what you have to do is (note query and updatecookie are some pseudofunctions, for performing DB queries and setting cookie values respectively):
query("DELETE FROM ".$ibf_prefix."sessions WHERE member_id = $userid");
updatecookie($ibf_cookieid."member_id",0,time()-1800);
updatecookie($ibf_cookieid."pass_hash",0,time()-1800);
updatecookie($ibf_cookieid."session_id",0,time()-1800);
You can read $ibf_prefix from conf_global.php :
$ibf_prefix = $INFO[sql_tbl_prefix];
and $ibf_cookieid is:
$ibf_cache = query_first("SELECT cs_value FROM " . $ibf_prefix . "cache_store WHERE cs_key = 'settings'");
$ibf_cache = unserialize($ibf_cache['cs_value']);
$ibf_cookieid = $ibf_cache['cookie_id'];
You can read the source of doLogout method in admin/applications/core/modules_public/global/login.php
I'm not aware of any IPB API for this.
You can try to destroy the session with session_destroy();
If the user has "Remember me" checked, you have to delete the cookie pass_hash too.
Related
i have some problem, i create a page to read news and if the page open it will be update in my database field for news_read +1 but i want if page refresh by user isn't +1
this is my query in page
$q="SELECT*FROM t_news WHERE news_id=$b_id";
$dataJ=mysql_query($q);
$a=mysql_fetch_array($dataJ);
$plus=$a['news_read']+1;
mysql_query("UPDATE t_news set news_read=$plus WHERE news_id=$a[news_id]");
anyone know, how to disable $plus=$a['berita_dibaca']+1; after refreshing the page?
UPDATE
UPDATE
thanks all ,i have solved my problem with session
i put
if ($_SESSION['load']==1){
$_SESSION['load']=0;
}
in all of my page except read.php and i put
if ($_SESSION['load']==0)
{
//QUERY
}
$_SESSION['load'] = 1;
in read.php
Method 1.
Save cookie, if user has cookie don't update database.
Method 2. (better)
Save users who have already viewed this article, and if user is in list do not update database.
Tip:
UPDATE t_news set news_read = news_read + 1 WHERE news_id = $a[news_id]
to avoid useless queries.
That's not a question to solve with sql, but with HTTP.
There is basically no difference between a refresh of a page and the inital request. There both just HTTP commands. There may be a difference in the headers of both requests but you can't always be sure they are present. So using the referer is probaly not a great idea.
Beside Valdas answer with the cookie you may also use the session of your user and set a flag there. (Although most session implementations do also use cookies, but in another way)
This method doesn't require a user to be logged in:
session_start(); // ignore if you're already using sessions
if( !isset($_SESSION['has_read_news'])) $_SESSION['has_read_news'] = array();
if( !isset($_SESSION['has_read_news'][$b_id])) {
mysql_query("UPDATE `t_news` SET `news_read`=`news_read`+1 WHERE `news_id`=".$b_id);
$_SESSION['has_read_news'][$b_id] = true;
}
Note that it's not completely foolproof (clearing the session cookie will allow the user to be counted again) but overall it should be plenty good enough.
I read many question and post about my question but all were not helpful.
I develop website, and in login page i use session.
As i know session is end when browser close,, but my session is not end on browser close..
I want to access my web with out login
here is code that create session
$_SESSION['session_name'] = 'session value';
$_SESSION['is_admin'] = '1';
$general->redirect('home.php');
by this code session is created and i access website definitely,
i try to add session manually , and set these session name in manually session, and then i want to access website,..
you Not give me full detail, but please give me initialize suggestion and helpful source where i read about this.
Thank you.
Simply create a separate page on your website’s root (preferably protected by a HTACCESS password). Call it something like *hack_login.php* (or something more cryptic).
<?php
session_start();
$_SESSION['session_name'] = 'session value';
$_SESSION['is_admin'] = '1';
?>
Now when you access that page, and provided your session cookie is written correctly, you should be authorized when you access your website through the front page.
Don't forget to remove that page once your tests are done ;)
I am working on a symfony project which is made of 2 applications (frontend & backend) and I have been asked to manually create a second session in the backend so that the administrator could access user data (the frontend) from the backend without logging in.
I've set different names in factory.yml so that each application has its own cookie.
Basicalyy, I need to retrieve a user from the backend, manually create the frontend cookie without destroying the backend session then redirect to the frontend.
I've tried the following code but this doesn't work :
$user = $this->getUser()->getAttribute('some_attribute');
$session = new sfSessionStorage();
$option = array(
'session_name' => 'frontend_session_name'
);
$session->initialize($options);
// some code to push the user in the new cookie
$this->redirect('https://frontend.php');
I haven't been using symfony for long and must admit that I'm a bit lost here. I know I need to populate the new cookie with the user data but I can't figure out how.
Any help will be very much appreciated.
edit: I forgot to mention that I'm using propel.
edit #2: I've come up with the following solution which does what intended :
$user = $this->getUser()->getAttribute('some_attribute'); //retrieving the user whose data I'd like to access
$currentSessionId = session_id();
session_write_close();
session_name('frontend_session_name');
session_start();
session_regenerate_id();
$_SESSION['symfony/user/sfUser/culture'] = 'en';
$_SESSION['symfony/user/sfUser/lastRequest'] = time();
$_SESSION['symfony/user/sfUser/authenticated'] = 1;
$_SESSION['symfony/user/sfUser/credentials'] = array('frontend_user');
$_SESSION['symfony/user/sfUser/attributes'] = array(
'symfony/user/sfUser/attributes' => array(
'user' => $user
)
);
session_write_close();
session_name('backend_session_name');
session_id($currentSessionId);
session_start();
$this->redirect('/frontend.php');
So I just manually recreated the session and pushed in the necessary data.
Thanks to those who tried to help.
As sharing a session doesn't seem to be an option for you, I'd suggest:
creating a unique key for each user, not the id, but a separate string that is hard to guess
create a module / action on the frontend that accepts the key as a parameter, finds the corresponding user in the database, and logs them in
You could then generate the required links in the backend that an admin can click and be redirected to.
Not very secure, make sure your keys are long. You'd need to add code to prevent brute forcing, and limit access to the action by IP address maybe?
You could also require the key of the admin user, and check that it is valid too, which would make it harder to guess.
I can't seem to find a straightforward answer to this question. Is there a way in which I can force a logged in user to logout? My login system essentially just relies on a session containing the user's unique ID (which is stored in a mysql database). So essentially just...
if (isset($_SESSION['user_id'])) {
echo "You're logged in!";
} else {
echo "You need to login!";
}
But let's say I want to ban this user, well I can change their status to banned in my database but this won't do anything until the user logs out and attempts to log back in... So, how do I force this user to logout? Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server. Any help is appreciated, thank you.
Either you need to check every time they load a page, or possibly look at an Ajax call at set intervals to check their status from the DB.
Then you can use session_destroy(); to end their session. This will destroy their entire session.
Otherwise you can use unset($_SESSION['user_id']); to unset a single session variable
Preferably without checking every single time they view a page whether or not their status has been switched to "banned" because that seems like unnecessary stress on my server.
Loading the user from the database on every page load, rather than storing a copy of the user in the session, is a perfectly reasonable solution. It also prevents the user from getting out of sync with the copy in the database (so that, for instance, you can change a user's properties or permissions without them having to log out and back in).
Try to put this on every page...
if (isset($_SESSION['user_id'])) {
$sql = "SELECT from tbl where status='banned' and user_id=$_SESSION['user_id'] ";
$query = mysql_query($sql);
if(!empty(mysql_num_rows($query))){ // found the banned user
//redirect to logout or
//session_destroy();
}
} else {
echo "You need to login!";
}
if the user is still logged in... check if his/her status is banned or not... if banned.. then logout
You can unset it.
unset($_SESSION['user_id'])
You could use Custom Session Handlers this way you have full control where and how the session data is stored on the server.
So you could store the session data for a particular user in a file called <user_id>.session for example. Then, to logout the user, just delete that file.
Ajax calls in an interval will put extra load on server. If you want real-time response to your actions(e.g. the user will be signed out right when you ban them from your system backend), then you should look into something like Server Push.
The idea is to keep a tunnel open from Server to Browser whenever a user is browsing your website, so that you can communicate with them from server-side too. If you want them to be banned, push a logout request and the process that in your page(i.e. force logout by unsetting session).
This worked for me am using pHP 5.4
include 'connect.php';
session_start();
if(session_destroy())
{
header("Location: login.php");
}
You can use session_save_path() to find the path where PHP saves the session files, and then delete them using unlink().
Once you delete the session file stored in the sever, the client side PHPSESSID cookie will no longer be valid for authentication and the user will be automatically be logger out of your application.
Please be very careful while using this approach, if the path in question turns out to be the global /tmp directory! There's bound to be other processes other than PHP storing temporary data there. If PHP has its own directory set aside for session data it should be fairly safe though.
There is a few ways to do this the best in my opinion based on security is:
NOTE: THIS IS REALLY ROUGH.... I know the syntax is wrong, its just for you to get an idea.
$con = mysql_connect("localhost","sampleuser","samplepass");
if (!$con)
{
$error = "Could not connect to server";
}
mysql_select_db("sampledb", $con);
$result = mysql_query("SELECT * FROM `sampletable` WHERE `username`='".$_SESSION['user_id']."'");
$userdeets = mysql_fetch_array($result);
if($_SESSION['sessionvalue'] != $userdeets['sessionvalue'])
{
session_destroy();
Header('Location: logout.php');
}
else
{
$result2 = mysql_query("UPDATE `sessionvalue` WHERE `username`='".$_SESSION['user_id']."' SET `sessionvalue` = RANDOMVALUE''");
$sesval = mysql_fetch_array($result2);
$_SESSION['sessionvalue'] = $seshval
}
Now I know thats not the very code but in essence what you need to do to be secure and have this ability is:
Everytime a page load check a Session value matches a value in the DB.
Every time a page loads set a new session value based on a random generated DB value. you will need to store the username in a session as well.
if the Session ID's do not match then you destroy the session and redirect them.
if it does match you make the new session ID.
if you want to ban a user you can set their sessionvalue in the DB to a value like "BANNED". this value will not allow them to log in either. this way you can control user through a simple web form and you can also generate list of banned users very easily etc etc. I wish I had more time to explain it I hope this helps.
I'm wondering if there's a way to dump all of the values of
$this->session->userdata()
so I can troubleshoot?
I'm working within Facebook, and have a login page, and once that's successful I want to pass around the UID of the current user, and I thought this would work well.
I currently have the uid set as follows:
require_once 'facebook.php';
$appapikey = 'XXXX';
$appsecret = 'XXXX';
$facebook = new Facebook($appapikey, $appsecret);
$user_id = $facebook->require_login();
$this->db->like('uid', $user_id);
$this->db->from('users');
$has_signed_up = $this->db->count_all_results();
if ($has_signed_up == 0) {
redirect('/setup/signup/', 'location');
}
else {
$this->session->set_userdata('uid', $user_id);
redirect('/preferences/index/', 'location');
}
So the redirection occurs, and I have a very simple setup over at preferences/index:
echo "this is the preferences form <br />";
echo $this->session->userdata('uid');
echo $this->session->userdata('session_id');
And the result is an inscrutable:
this is the preferences form
858f500e167e359edc1942a96f3bac35
So it totally skips over the middle echo containing the uid. Am I not setting this correctly? Is there a way to dump all values of the session array to see what's getting through? Any help would be just great.
UPDATE
I have run var_dump($this->session->userdata) on each the raw website and through Facebook.
On the website it exposes all set values in an array containing 5 values (session_id, IP, User_agent, last_activity, and uid).
Within the Facebook chrome however, it only shows the 4 values set by CodeIgniter. I've heard cookies can only be 4k and that encryption could be a problem. Could FB be filling up cookies with its own encrypted (read:larger) data?
UPDATE 2
When I comment out the redirect, and just have:
else {
$this->session->set_userdata('uid', $user_id);
echo ':test_'.$this->session->userdata('uid').'_test:';
//redirect('/preferences/index/', 'location');
}
It dutifully returns :test_1234_test: within Facebook. So somewhere during the redirect it's losing this part of the array (but not the whole array).
Is it possibly just creating a new session on the redirect page? So that's why it only has the four "stock" variables? If this is the case, I'll need to research how it creates the sessions, and if Facebook clears cookies I suppose.
UPDATE 3
So I've turned to using a DB to store session information instead of cookies, thinking FB was either stripping them or colliding with them. I currently have the app set up to
Set $user_id = 1234
$this->session->set_userdata('uid', $user_id)
Redirect to the new page
Var_dump all possible information
What occurs in the DB is this:
DB records http://nikolausjj.facebook.joyent.us/Picture2.png
So it creates one good record, with the user data, then immediately upon the redirect creates a new session without recognizing the prior one. Can someone explain where the CI framework checks to see if it has a prior session existing? The user manual explains it as "magic" basically.
You can use var_dump() to output the session. Something like this
var_dump($this->session);
The set_userdata call looks ok. Are you sure $user_id is set. Because the echo is surley executed but uid isn't set or set to empty string.
Try replacing the echo with
echo ':test_'.$this->session->userdata('uid').'_test:';
Other information helpful for answering
What browser are you using?
Do you have an underscore _ in your domain name?
Are you using CI sessions or some wrapper for native PHPsessions
Is the value for uid also lost/not set when you comment out the redirect?
Other suggestions:
try redirect('/preferences/index/', 'refresh'); instead of location
I'm not familiar with facebook development but is /preferences/index under your control? If yes try removing (if present) $this->load->library(‘session’) and instead load it in autoload.php.
try changing $config[‘sess_match_ip’] to `FALSE
try setting $config[‘sess_encrypt_cookie’] to FALSE
try replacing the use of CI-Session with CI Native session
Is UID sensible information if not store it in a cookie. If it matters if it can be spoofed don't.
I didn't solve how to pass session variables from one page to another via Facebook. My solution was simply to call the Facebook API for the user's UID again on each page. Not great programming, but it works alright for me. :-/