Ref:https://sourceforge.net/tracker/index.php?func=detail&aid=912823&group_id=41586&atid=430842

It was bit frustrating not to see the code merged in to 2.0.9.2 - even after more than 9 months of patch request submission. By this time a baby would have born, if.......

My suggested change was not going to break anything FOR SURE and all it was supposed to do is decreasing the number of db query by one for almost every request except the first one for any session.

Anyway, guess for most of the people it only matters if the code works. I wish, XOOPS core team were little more concerned about performance and security. I have also seen demo by GIJOE (good work!!! appreciated). Core team should taken these things seriously.

---

Also check this more than a year old post:https://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=13526&forum=20 . The expected reaction from XOOPS team was placing a .htaccess file in their default distribution to disallow all .html files under themes directory which will work great for most of the people.

Cheers,

It is simply not possible using PHP script running under (apache/nobody) privilege.

Till now, I was doing it by making the whole tree on my local Linux system.Then these steps: set permissions -> tar+gzip -> upload -> extract using cPanel file manager.

Either FTP CHMOD or SHELL ACCESS will be required.

Wait, I'm working on this SCRIPT which will do it using FTP CHMOD. Stay tuned.

Cheers,

Coz, execute permission on a directory actually means listing permission

Cheers,

More secure?

By using md5 of actkey as autologin_key we are successfully protecting our confidential information (no password related information sent). If site master wants to invalidate any (or all) saved autologin cookies, he can simply null the column in his server db. Also when user is changing the password, actkey is changed to next random value automatically, effectively invalidating all of his saved autologin cookies. This looks pretty satisfactorily secure and safe to me.

The cookie autologin_uname is sent in plain text, but this is also not a big problem. In fact, uname is known to public already via posts in news and forums module and other blocks.

Now consider the possibility of hijacking. What if someone steals those cookies? Discuss it in this thread and see if we can come-up with any better solution. (Remember, PHPSESSIONID or your custom id cookie has similar issues).

Keep in mind followings:

1. I need to use autologin features from many computers (ex. work, home). This means there can be more than one valid saved autologin cookies.
2. User can be on dynamic IP.
3. UserAgent will be fixed for every machine, but someone who can steal cookies can forge this also. Changing UserAgent is even simpler.
4. There can be more than one XOOPS installed on the same site.

---

Cookies gets new lifetime when user opens the site before autologin cookies gets expired. Have we done it intentionally? Remember gMail asking password after 2 weeks no matter how frequently you visit them

Related to point raised by m0nty – I will assume that site administrators are educated enough and know the risk of autologin cookies. I can easily live with that. But if we want this implemented anyway – a very simple change will be required in /include/checklogin.php and one more constant in mainfile.php (hehe).

We should also try to move the XOOPS_COOKIE_PATH and XOOPS_AUTOLOGIN_LIFETIME into xoops_config table (if possible).

Fixed and tested

http://xoops.biz/dist/my_autologin_for_xoops-2.0.9.x.tar.gz

With recent pacth - actkey is getting new random value every time user changes the password - so saved cookies will become invalid. SAFER NOW

Enjoy

Yes, only hiding is what Micro$oft does. Hide and disable is surely better option

modules/system/templates/system_userform.html has the main login and forgot password form. Blank it and update system module. Or clone the template and edit it

Hi Friends,

Get patch from -http://xoops.biz/dist/my_autologin_for_xoops-2.0.9.x.zip

--------------------------------------------------

This is my first XOOPS hack released to public

My hack is highly influenced by GIJOE auto-login hack. This does exactly same thing but my approach is bit refined (I think so, feel free to disagree).

Followings are major changes.

1. In place of making a localized code change, I also changed "kernel/member.php" and added two new methods loginUserAuto (auto-login someone using saved cookies) and loginUserEmail (login someone using email as username).

2. I am using value stored in actkey column for auto-login feature. I too am totally against storing the MD5 of real password in user cookies (like the author of original auto-login and several other people). So here is perhaps the safer work-around. MD5 of actkey is sent to user's browser as cookies and the same is matched for auto-login. I found this column useless after user activation - so why don't we overload it.

Minor differences:

1. I had to change "kernel/user.php" also as it was not persisting actkey column for any existing user.

2. _MB_SYSTEM_REMEMBERME is not used. Rather global variable _REMEMBERME is used to render 'system_userform.html' and 'system_block_login.html' both. I didn't see any reason of duplicating variable for block and main page.

3. Using cookie name 'autologin_key' in place of 'autologin_pass'

4. Using xoops's standard function checkEmail() to test if email was passed as userId.

Looking forward to see feedback from you people

------------------------------------------------------

Q. How to install hack?

A. You should be knowing what you are doing This patch is ok for version 2.0.9.x only and you just need to overwrite files with the supplied ones. (For older versions, serach for the word "sraj" in hacked files and merge the chages manually).

After overwrite, don't forget to update system module

Done, Enjoy...

------------------------------------------------------

GIJOE: Sorry I copied your code-fragments shamelessly. Feel free to merge my suggested changes in your hack. I guess, there are still scopes of making it better.

(If we allow auto-login from just one PC then, every auto-login can reset actkey to a new value and update autologin cookies - perhaps much safer option.)

Cheers,
Sudhaker Raj
sudhaker _at_ yahoo _dot_ com

That was an excellent piece of work I have taken print-out to read fully during my commute. You guys are doing really great. I wish I also had time and opportunity to be part of team

Xoops is getting better day by day My CMS search was stopped when I understood its OOPs design and concept. I don't understand why everyone doesn’t use it. Perhaps reason it the same, why everyone doesn’t drives Honda

I see following improvements for XOOPS when template designing comes into picture.

Right colum is hidden when there are no block in it, but what is wrong with Left column? Why don’t we hide it too when there is no block in it ? I did a small hack for it – seehttp://thej2ee.com in action.

Template is not having any info about what module it is showing. Say I want to highlight the current active module’s menu item in the main menu ?? There should be a smarty variable for it. I have hack for this too - but not used anywhere yet.

There are other things which is expected from template designer not XOOPS dev team. Mambo has 2 user specific regions – user1 / user2 other than the normal top/left/center/right/footer regions. Mambo designers could show more creativity perhaps because of this flexibility. But here in XOOPS too, we have center-left and center-right which can be easily placed anywhere on the page. Till now, I have not seen any template designer using this… We gotta to go out-of-box in order to compete with others.

Long live Xoops.

Try this - Google is great

BTW, the file is favicon.ico in your home dir i.e. '/'