Autologin for Xoops 2.0.x [XOOPS Core Hacks] - XOOPS Web Application System

1

Autologin for Xoops 2.0.x

2003/6/18 23:29
AndreyRa
Just popping in
Posts: 17
Since: 2003/3/16

This and other hacks available to download here: Some useful hacks

Tested with XOOPS 2.0RC3 (please read comments at 2nd step), 2.0.2, 2.0.3.

All line numbers based on XOOPS 2.0.3.

1. File: include/common.php, line 128
after // ############## Login a user with a valid session ##############
*updated:Quote:

//Begin: Autologin hack
if ((empty($HTTP_SESSION_VARS['xoopsUserId'])) && (!empty($HTTP_COOKIE_VARS['al_pass'])&&(!empty($HTTP_COOKIE_VARS['al_uid'])))) {
$al_uid=$HTTP_COOKIE_VARS['al_uid'];
$pass=trim($HTTP_COOKIE_VARS['al_pass']);
$member_handler =& xoops_gethandler('member');
$user =& $member_handler->getUser($al_uid);
if (is_object($user)) {
$uname= $user->getVar('uname');
} else {
unset($uname);
};
unset($user);
$myts =& MyTextsanitizer::getInstance();
$user =& $member_handler->loginUser(addslashes($myts->stripSlashesGPC($uname)), addslashes($myts->stripSlashesGPC($pass)),true);
if ($user != false){
setcookie('al_pass', $pass, time()+86400*100,'/','',0);
setcookie('al_uid',$user->uid(),time()+86400*100,'/','',0);
$user->setVar('last_login', time());
if (session_id()==''){session_destroy(); session_start();};
$HTTP_SESSION_VARS = array();
$HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');
$HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();
if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {
setcookie($xoopsConfig['session_name'], session_id(), time()+$xoopsConfig['session_expire'], '/', '', 0);
$HTTP_COOKIE_VARS[$xoopsConfig['session_name']]=session_id();
}
$user_theme = $user->getVar('theme');
if (in_array($user_theme, $xoopsConfig['theme_set_allowed'])) {
$HTTP_SESSION_VARS['xoopsUserTheme'] = $user_theme;
}

};
};
//End: Autologin Hack

2. File: kernel/member.php, line 320, replacement for function loginUser:
for ver. 2.0.2 & 2.0.3 (maybe above)
Quote:

//Begin: Autologin hack
function &loginUser($uname, $pwd, $al_login = false)
{
$criteria = new CriteriaCompo(new Criteria('uname', $uname));
if (!$al_login){$mypwd=md5($pwd);} else {$mypwd=$pwd;};
$criteria->add(new Criteria('pass', $mypwd));
$user =& $this->_uHandler->getObjects($criteria, false);
if (!$user || count($user) != 1) {
return false;
}
return $user[0];
}
//End: Autologin hack

...for ver. 2.0RC3:
Quote:

//Begin: Autologin hack
function &loginUser($uname, $pwd, $al_login = false)
{
$criteria = new CriteriaCompo(new Criteria('uname', $uname));
$criteria->add(new Criteria('pass', $pwd));
$user =& $this->_uHandler->getObjects($criteria, false);
if (!$user || count($user) != 1) {
return false;
}
return $user[0];
}
//End: Autologin hack

3.File: include/checklogin.php, line 46, after line if (false != $user) {:
*updated:Quote:

//Begin: Autologin hack
if (!empty($HTTP_POST_VARS['union_al'])&&($HTTP_POST_VARS['union_al']=='Yes')){
setcookie('al_pass', md5($pass), time()+86400*100,'/','',0);
setcookie('al_uid',$user->uid(),time()+86400*100,'/','',0);
};
//End: Autologin hack

4. File: /user.php, line 73, after line session_destroy();:
*updated:Quote:

//Begin: Autologin hack
setcookie('al_pass', '', time()-33600,'/','',0);
setcookie('al_uname', '', time()-33600,'/','',0);
setcookie('al_uid', '', time()-3600,'/','',0);
//End: Autologin hack

5. Goto Control Panel->Administration->Template Editor->Sytem->system_block_login.html (Edit) and add this there:

<input type="checkbox" name="union_al" value="Yes">Remember password<br>

That's all.

By default it mean 100-days autologin. If you want more - just replace all '100' nums by count of days that you want.

Password stored as md5 hash. No open-text password here.
Username stored as ID.

-- Changed 2003-06-21, 17:20 (GMT+4)
Changed al_uname to al_uid, and other code interconnected with it.

PS. Ðóññêóþ âåðñèþ õàêà - ÷èòàéòå íà xoops.ru

2

Re: Autologin for Xoops 2.0.x

2003/6/19 0:55
tom
Friend of XOOPS
Posts: 1359
Since: 2002/9/21

Wicked work, although I won't personaly use it, I expect some will, you should make it a news post.

I would like to see the Devs include this as part of the core, as I'm always reluctant to use modifications unless they are core, because when the next release is made this may not be compatible, or at least I would then need to re-code everything back in.

If the devs make it core, can we have the options from admin to chose when we want it to expire, and even chose by groups who we want to allow this feature too.... that would be cool.

Any way good work keep it up my friend.

3

Re: Autologin for Xoops 2.0.x

2003/6/21 8:26
_masi
Just popping in
Posts: 19
Since: 2003/3/28

A good start and a fine feature. But I have a few issues.

I don't think it is a good idea to store the actual password in the cookie nor it is to send out a simple hashed version of it. Have a look at sourceforge, they use even a hashed/encrypted login plus a special session_persist cookie.

And of course this feature has to be configurable

A config to turn it on and off and another one to configure the timeout in days.

Anyway I'd love to see this in the official XOOPS.

PS: BTW, I posted an ugly autologin hack myself. It's about an auto-login after an auto-approved registration. Perhaps you could integrate this as well, while you're at it

4

Re: Autologin for Xoops 2.0.x

2003/6/21 9:17
AndreyRa
Just popping in
Posts: 17
Since: 2003/3/16

Quote:

_masi wrote:
A good start and a fine feature. But I have a few issues.

I don't think it is a good idea to store the actual password in the cookie nor it is to send out a simple hashed version of it. Have a look at sourceforge, they use even a hashed/encrypted login plus a special session_persist cookie.

The password stored as md5 hash. Actually the password stored as hash in XOOPS database. There only one security issue - login stored as is. Basically it is possible to add procedure, for additional converting a name in user-id. And perhaps I shall engage in it in the near future.

For paranoiacs it is possible to add additional hashed parameter as IP + secret word. But in that case it can not work for people with dynamic IP's.

As to sessions is it is possible to realize only the profound programming of a core. Such a format of the given forum - it will be simply impossible to describe. I am afraid, that it can be made only in format of official CVS.

Quote:

And of course this feature has to be configurable
A config to turn it on and off and another one to configure the timeout in days.

It will cause change too many parts of XOOPS too.

Quote:

Anyway I'd love to see this in the official XOOPS.

I work just in this direction. Also I hope, that I shall find mutual understanding with developers of Xoops.
In this direction I have laid out the full list of my works here: Some useful hacks.

Quote:

PS: BTW, I posted an ugly autologin hack myself. It's about an auto-login after an auto-approved registration. Perhaps you could integrate this as well, while you're at it

My hack is not dependent from your hack. I personally used yours hack and have received a heap of pleasure. Thank for good idea! And a good and compact code.

5

Re: Autologin for Xoops 2.0.x

2003/6/21 11:20
_masi
Just popping in
Posts: 19
Since: 2003/3/28

Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.

And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.

6

Re: Autologin for Xoops 2.0.x

2003/6/21 12:22
Epsylon3
Just popping in
Posts: 1
Since: 2002/10/24

uhm, oh yea passw is not stored in cookie, only the md5 hash ?

7

Re: Autologin for Xoops 2.0.x

2003/6/21 14:09
AndreyRa
Just popping in
Posts: 17
Since: 2003/3/16

Quote:

_masi wrote:
Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.

I wish you successful rest!

I here have thought. It is possible to add the third parameter - the control sum. Which sense will be in hashing the line basing on the password of the user + a confidential word. I thought that such word cannot be thought up, since a code of script is open. And has then thought up, that this word should become the password of the administrator (i.e. the user with ID = 1). Thus we receive binding to the password of the administrator as a confidential key. Quite reasonable way of protection. Basically, to break it is possible, but not so it is easy. And it is more probable only individual login, by peeping traffic of the client. The given way will protect system first of all from bruteforce of hashes from the widespread passwords.

Well as? Secure enough?

mmm. Administrator can replace the password! It is necessary to search for other binding. But what?

Quote:

And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.

For this purpose I was necessary to make changes in SQL. I mean it strong structural changes. Such changes can make impossible successful updating of a XOOPS in future. On this they should be brought extremely by development of the new version (I mean in CVS).

Quote:

Epsylon3 wrote:
uhm, oh yea passw is not stored in cookie, only the md5 hash ?

Yes, so. Now I have made changes to the first message where has specified the given feature separately.

And still I have changed a way of storage of a name of the user in an open kind, for user ID.

8

Re: Autologin for Xoops 2.0.x

2003/6/21 14:54
robnelle
Just popping in
Posts: 14
Since: 2003/5/28

Please Help! I installed this hack and now I can't login at all!

Info:
Xoops version 2.03
PHP version 4.3.2
MySQL version 1.3.27 (Unix)

I installed per the given instructions and I get an 'incorrect login' error everytime I or anyone else tries to login to my site. If I use the lost password function I get the new password just fine but It doesn't work. I installed this hack yesterday and all was well. I stayed logged into my account for over 12 hours but then XOOPS logged me out and I couldn't get back in under any account. What could be wrong? This is what my code looks like after I have finished installing the hack:

file include/common.php

 } 
                } 
                if ($xoopsModule->getVar('hasconfig') == 1 || $xoopsModule->getVar('hascomments') == 1 || $xoopsModule->getVar( 'hasnotification' ) == 1) { 
                        $xoopsModuleConfig =& $config_handler->getConfigsByCat(0, $xoopsModule->getVar('mid')); 
                } 
        } 
                //Begin: Autologin hack 
 
if ((empty($HTTP_SESSION_VARS['xoopsUserId'])) && 
 
(!empty($HTTP_COOKIE_VARS['al_pass'])&&(!empty($HTTP_COOKIE_VARS['al_uname'])))) 
 
{ 
 
         $myts =& MyTextsanitizer::getInstance(); 
 
         $uname=$HTTP_COOKIE_VARS['al_uname']; 
 
         $pass=trim($HTTP_COOKIE_VARS['al_pass']); 
 
         $member_handler =& xoops_gethandler('member'); 
 
         $myts =& MyTextsanitizer::getInstance(); 
 
         $user =& $member_handler->loginUser(addslashes($myts->stripSlashesGPC($uname)), 
 
addslashes($myts->stripSlashesGPC($pass)),true); 
 
         if ($user != false){ 
 
           setcookie('al_pass', $pass, time()+86400*100,'/','',0); 
 
           setcookie('al_uname', addslashes($uname), 
 
time()+86400*100,'/','',0); 
 
           $user->setVar('last_login', time()); 
 
           if (session_id()==''){session_destroy(); session_start();}; 
 
           $HTTP_SESSION_VARS = array(); 
 
           $HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid'); 
 
           $HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups(); 
 
           if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != 
 
'') { 
 
             setcookie($xoopsConfig['session_name'], session_id(), 
 
time()+$xoopsConfig['session_expire'], '/',  '', 0); 
 
             $HTTP_COOKIE_VARS[$xoopsConfig['session_name']]=session_id(); 
 
            } 
 
           $user_theme = $user->getVar('theme'); 
 
           if (in_array($user_theme, $xoopsConfig['theme_set_allowed'])) { 
 
             $HTTP_SESSION_VARS['xoopsUserTheme'] = $user_theme; 
 
            } 
 
 
          }; 
 
         }; 
 
//End: Autologin Hack

file kernel/member.php

 /* function &loginUser($uname, $pwd) 
    { 
        $criteria = new CriteriaCompo(new Criteria('uname', $uname)); 
        $criteria->add(new Criteria('pass', $pwd)); 
        $user =& $this->_uHandler->getObjects($criteria, false); 
        if (!$user || count($user) != 1) { 
            return false; 
        } 
        return $user[0]; 
    }   */ 
    //Begin: Autologin hack 
 
    function &loginUser($uname, $pwd, $al_login = false) 
 
    { 
 
        $criteria = new CriteriaCompo(new Criteria('uname', $uname)); 
 
        if (!$al_login){$mypwd=md5($pwd);} else {$mypwd=$pwd;}; 
 
        $criteria->add(new Criteria('pass', $mypwd)); 
 
        $user =& $this->_uHandler->getObjects($criteria, false); 
 
        if (!$user || count($user) != 1) { 
 
            return false; 
 
        } 
 
        return $user[0]; 
 
    } 
 
//End: Autologin hack

file include/checklogin.php

 // 
if ($uname == '' || $pass == '') { 
        redirect_header(XOOPS_URL.'/user.php', 1, _US_INCORRECTLOGIN); 
        exit(); 
} 
if (false != $user) { 
//Begin: Autologin hack 
 
        if 
 
(!empty($HTTP_POST_VARS['union_al'])&&($HTTP_POST_VARS['union_al']=='Yes')){ 
 
          setcookie('al_pass', md5($pass), 
 
time()+86400*100,'/','',0); 
 
          setcookie('al_uname', addslashes($uname), 
 
time()+86400*100,'/','',0); 
 
         }; 
 
//End: Autologin hack 
        if (0 == $user->getVar('level')) { 
                redirect_header(XOOPS_URL.'/index.php', 5, _US_NOACTTPADM); 
                exit(); 
        }

file user.php

 if ($op == 'logout') { 
        $message = ''; 
        $HTTP_SESSION_VARS = array(); 
        session_destroy(); 
//Begin: Autologin hack 
 
        setcookie('al_pass', '', time()-33600,'/','',0); 
 
        setcookie('al_uname', '', time()-33600,'/','',0); 
 
//End: Autologin hack 
        if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') { 
                setcookie($xoopsConfig['session_name'], '', time()- 3600, '/',  '', 0); 
        }

I think I should let you know that this hack is not the only alteration to the above mentioned files. I also have IBFM and 4images modules installed which also make changes to the common.php, checklogin.php and member.php. I don't know about user.php. I don't know if there may be a possible hack conflict but I thought it wouldn't hurt to mention the other file alterations just in case. I appreciate any help you can give me. If you need me to provide any other info like the complete .php files mentioned above, just let me know.

I am really looking forward to using this wonderful hack! Thanks AndreyRa for creating it and _masi for the wonderful idea!

9

Re: Autologin for Xoops 2.0.x

2003/6/21 15:06
AndreyRa
Just popping in
Posts: 17
Since: 2003/3/16

So. As I also have thought (and even has written on a pair of minutes) - The problem consists that you have incorrectly updated Xoops.
You should use 2.0RC3 script, which number 2 differs step of installation.

I hope, that at you all will turn out. And if still something will get out - write.

10

Re: Autologin for Xoops 2.0.x

2003/6/21 15:27
robnelle
Just popping in
Posts: 14
Since: 2003/5/28

Oh! no problem! Whatever time is convenient for you. I have to go to work now anyway...

Oh by the way, If you want to check the site to see for yourself, the URL is http://nolatalk.com

Stats
Goal:	$100.00
Due Date:	Dec 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Re: Autologin for Xoops 2.0.x

Login

Search

Recent Posts

Re: xoops_redirect

Re: XOOPS MyMenus 1.54.0 Beta 10

Re: xoops_redirect

Vulnerability in xmnews, xmsocial and xmarticle modules

xoops_redirect

Re: XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 10

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}