1
AndreyRa
Autologin for Xoops 2.0.x
  • 2003/6/18 23:29

  • AndreyRa

  • Just popping in

  • Posts: 17

  • Since: 2003/3/16


This and other hacks available to download here: Some useful hacks

Tested with XOOPS 2.0RC3 (please read comments at 2nd step), 2.0.2, 2.0.3.

All line numbers based on XOOPS 2.0.3.

1. File: include/common.php, line 128
after // ############## Login a user with a valid session ##############
*updated:Quote:

//Begin: Autologin hack
if ((empty($HTTP_SESSION_VARS['xoopsUserId'])) && (!empty($HTTP_COOKIE_VARS['al_pass'])&&(!empty($HTTP_COOKIE_VARS['al_uid'])))) {
$al_uid=$HTTP_COOKIE_VARS['al_uid'];
$pass=trim($HTTP_COOKIE_VARS['al_pass']);
$member_handler =& xoops_gethandler('member');
$user =& $member_handler->getUser($al_uid);
if (is_object($user)) {
$uname= $user->getVar('uname');
} else {
unset($uname);
};
unset($user);
$myts =& MyTextsanitizer::getInstance();
$user =& $member_handler->loginUser(addslashes($myts->stripSlashesGPC($uname)), addslashes($myts->stripSlashesGPC($pass)),true);
if ($user != false){
setcookie('al_pass', $pass, time()+86400*100,'/','',0);
setcookie('al_uid',$user->uid(),time()+86400*100,'/','',0);
$user->setVar('last_login', time());
if (session_id()==''){session_destroy(); session_start();};
$HTTP_SESSION_VARS = array();
$HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');
$HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();
if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {
setcookie($xoopsConfig['session_name'], session_id(), time()+$xoopsConfig['session_expire'], '/', '', 0);
$HTTP_COOKIE_VARS[$xoopsConfig['session_name']]=session_id();
}
$user_theme = $user->getVar('theme');
if (in_array($user_theme, $xoopsConfig['theme_set_allowed'])) {
$HTTP_SESSION_VARS['xoopsUserTheme'] = $user_theme;
}

};
};
//End: Autologin Hack


2. File: kernel/member.php, line 320, replacement for function loginUser:
for ver. 2.0.2 & 2.0.3 (maybe above)
Quote:

//Begin: Autologin hack
function &loginUser($uname, $pwd, $al_login = false)
{
$criteria = new CriteriaCompo(new Criteria('uname', $uname));
if (!$al_login){$mypwd=md5($pwd);} else {$mypwd=$pwd;};
$criteria->add(new Criteria('pass', $mypwd));
$user =& $this->_uHandler->getObjects($criteria, false);
if (!$user || count($user) != 1) {
return false;
}
return $user[0];
}
//End: Autologin hack


...for ver. 2.0RC3:
Quote:

//Begin: Autologin hack
function &loginUser($uname, $pwd, $al_login = false)
{
$criteria = new CriteriaCompo(new Criteria('uname', $uname));
$criteria->add(new Criteria('pass', $pwd));
$user =& $this->_uHandler->getObjects($criteria, false);
if (!$user || count($user) != 1) {
return false;
}
return $user[0];
}
//End: Autologin hack


3.File: include/checklogin.php, line 46, after line if (false != $user) {:
*updated:Quote:

//Begin: Autologin hack
if (!empty($HTTP_POST_VARS['union_al'])&&($HTTP_POST_VARS['union_al']=='Yes')){
setcookie('al_pass', md5($pass), time()+86400*100,'/','',0);
setcookie('al_uid',$user->uid(),time()+86400*100,'/','',0);
};
//End: Autologin hack


4. File: /user.php, line 73, after line session_destroy();:
*updated:Quote:

//Begin: Autologin hack
setcookie('al_pass', '', time()-33600,'/','',0);
setcookie('al_uname', '', time()-33600,'/','',0);
setcookie('al_uid', '', time()-3600,'/','',0);
//End: Autologin hack


5. Goto Control Panel->Administration->Template Editor->Sytem->system_block_login.html (Edit) and add this there:
<input type="checkbox" name="union_al" value="Yes">Remember password<br>


That's all.

By default it mean 100-days autologin. If you want more - just replace all '100' nums by count of days that you want.

Password stored as md5 hash. No open-text password here.
Username stored as ID.

-- Changed 2003-06-21, 17:20 (GMT+4)
Changed al_uname to al_uid, and other code interconnected with it.


PS. Ðóññêóþ âåðñèþ õàêà - ÷èòàéòå íà xoops.ru

2
tom
Re: Autologin for Xoops 2.0.x
  • 2003/6/19 0:55

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


Wicked work, although I won't personaly use it, I expect some will, you should make it a news post.

I would like to see the Devs include this as part of the core, as I'm always reluctant to use modifications unless they are core, because when the next release is made this may not be compatible, or at least I would then need to re-code everything back in.

If the devs make it core, can we have the options from admin to chose when we want it to expire, and even chose by groups who we want to allow this feature too.... that would be cool.

Any way good work keep it up my friend.

3
_masi
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 8:26

  • _masi

  • Just popping in

  • Posts: 19

  • Since: 2003/3/28


A good start and a fine feature. But I have a few issues.

I don't think it is a good idea to store the actual password in the cookie nor it is to send out a simple hashed version of it. Have a look at sourceforge, they use even a hashed/encrypted login plus a special session_persist cookie.

And of course this feature has to be configurable
A config to turn it on and off and another one to configure the timeout in days.

Anyway I'd love to see this in the official XOOPS.

PS: BTW, I posted an ugly autologin hack myself. It's about an auto-login after an auto-approved registration. Perhaps you could integrate this as well, while you're at it

4
AndreyRa
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 9:17

  • AndreyRa

  • Just popping in

  • Posts: 17

  • Since: 2003/3/16


Quote:
_masi wrote:
A good start and a fine feature. But I have a few issues.

I don't think it is a good idea to store the actual password in the cookie nor it is to send out a simple hashed version of it. Have a look at sourceforge, they use even a hashed/encrypted login plus a special session_persist cookie.

The password stored as md5 hash. Actually the password stored as hash in XOOPS database. There only one security issue - login stored as is. Basically it is possible to add procedure, for additional converting a name in user-id. And perhaps I shall engage in it in the near future.

For paranoiacs it is possible to add additional hashed parameter as IP + secret word. But in that case it can not work for people with dynamic IP's.

As to sessions is it is possible to realize only the profound programming of a core. Such a format of the given forum - it will be simply impossible to describe. I am afraid, that it can be made only in format of official CVS.

Quote:

And of course this feature has to be configurable
A config to turn it on and off and another one to configure the timeout in days.

It will cause change too many parts of XOOPS too.

Quote:

Anyway I'd love to see this in the official XOOPS.

I work just in this direction. Also I hope, that I shall find mutual understanding with developers of Xoops.
In this direction I have laid out the full list of my works here: Some useful hacks.

Quote:

PS: BTW, I posted an ugly autologin hack myself. It's about an auto-login after an auto-approved registration. Perhaps you could integrate this as well, while you're at it

My hack is not dependent from your hack. I personally used yours hack and have received a heap of pleasure. Thank for good idea! And a good and compact code.

5
_masi
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 11:20

  • _masi

  • Just popping in

  • Posts: 19

  • Since: 2003/3/28


Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.

And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.

6
Epsylon3
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 12:22

  • Epsylon3

  • Just popping in

  • Posts: 1

  • Since: 2002/10/24


uhm, oh yea passw is not stored in cookie, only the md5 hash ?

7
AndreyRa
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 14:09

  • AndreyRa

  • Just popping in

  • Posts: 17

  • Since: 2003/3/16


Quote:
_masi wrote:
Hmm, I'm sure there is way to use a "secret" cookie style without changing the internal stored format (ie plain login and hashed password). I'll try and think of a method - it'd be on paper cause I'm off to a vacation soon.

I wish you successful rest!

I here have thought. It is possible to add the third parameter - the control sum. Which sense will be in hashing the line basing on the password of the user + a confidential word. I thought that such word cannot be thought up, since a code of script is open. And has then thought up, that this word should become the password of the administrator (i.e. the user with ID = 1). Thus we receive binding to the password of the administrator as a confidential key. Quite reasonable way of protection. Basically, to break it is possible, but not so it is easy. And it is more probable only individual login, by peeping traffic of the client. The given way will protect system first of all from bruteforce of hashes from the widespread passwords.

Well as? Secure enough?

mmm. Administrator can replace the password! It is necessary to search for other binding. But what?

Quote:

And you don't need to change many things to get something configurable. XOOPS provides a quite advanced configuration system. It uses a general table and an OO-API for access. I'll dig up some info for you how to use it.

For this purpose I was necessary to make changes in SQL. I mean it strong structural changes. Such changes can make impossible successful updating of a XOOPS in future. On this they should be brought extremely by development of the new version (I mean in CVS).

Quote:
Epsylon3 wrote:
uhm, oh yea passw is not stored in cookie, only the md5 hash ?

Yes, so. Now I have made changes to the first message where has specified the given feature separately.

And still I have changed a way of storage of a name of the user in an open kind, for user ID.

8
robnelle
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 14:54

  • robnelle

  • Just popping in

  • Posts: 14

  • Since: 2003/5/28


Please Help! I installed this hack and now I can't login at all!

Info:
Xoops version 2.03
PHP version 4.3.2
MySQL version 1.3.27 (Unix)


I installed per the given instructions and I get an 'incorrect login' error everytime I or anyone else tries to login to my site. If I use the lost password function I get the new password just fine but It doesn't work. I installed this hack yesterday and all was well. I stayed logged into my account for over 12 hours but then XOOPS logged me out and I couldn't get back in under any account. What could be wrong? This is what my code looks like after I have finished installing the hack:

file include/common.php
}
                }
                if (
$xoopsModule->getVar('hasconfig') == || $xoopsModule->getVar('hascomments') == || $xoopsModule->getVar'hasnotification' ) == 1) {
                        
$xoopsModuleConfig =& $config_handler->getConfigsByCat(0$xoopsModule->getVar('mid'));
                }
        }
                
//Begin: Autologin hack

if ((empty($HTTP_SESSION_VARS['xoopsUserId'])) &&

(!empty(
$HTTP_COOKIE_VARS['al_pass'])&&(!empty($HTTP_COOKIE_VARS['al_uname']))))

{

         
$myts =& MyTextsanitizer::getInstance();

         
$uname=$HTTP_COOKIE_VARS['al_uname'];

         
$pass=trim($HTTP_COOKIE_VARS['al_pass']);

         
$member_handler =& xoops_gethandler('member');

         
$myts =& MyTextsanitizer::getInstance();

         
$user =& $member_handler->loginUser(addslashes($myts->stripSlashesGPC($uname)),

addslashes($myts->stripSlashesGPC($pass)),true);

         if (
$user != false){

           
setcookie('al_pass'$passtime()+86400*100,'/','',0);

           
setcookie('al_uname'addslashes($uname),

time()+86400*100,'/','',0);

           
$user->setVar('last_login'time());

           if (
session_id()==''){session_destroy(); session_start();};

           
$HTTP_SESSION_VARS = array();

           
$HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');

           
$HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();

           if (
$xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] !=

'') {

             
setcookie($xoopsConfig['session_name'], session_id(),

time()+$xoopsConfig['session_expire'], '/',  ''0);

             
$HTTP_COOKIE_VARS[$xoopsConfig['session_name']]=session_id();

            }

           
$user_theme $user->getVar('theme');

           if (
in_array($user_theme$xoopsConfig['theme_set_allowed'])) {

             
$HTTP_SESSION_VARS['xoopsUserTheme'] = $user_theme;

            }


          };

         };

//End: Autologin Hack


file kernel/member.php

/* function &loginUser($uname, $pwd)
    {
        $criteria = new CriteriaCompo(new Criteria('uname', $uname));
        $criteria->add(new Criteria('pass', $pwd));
        $user =& $this->_uHandler->getObjects($criteria, false);
        if (!$user || count($user) != 1) {
            return false;
        }
        return $user[0];
    }   */
    //Begin: Autologin hack

    
function &loginUser($uname$pwd$al_login false)

    {

        
$criteria = new CriteriaCompo(new Criteria('uname'$uname));

        if (!
$al_login){$mypwd=md5($pwd);} else {$mypwd=$pwd;};

        
$criteria->add(new Criteria('pass'$mypwd));

        
$user =& $this->_uHandler->getObjects($criteriafalse);

        if (!
$user || count($user) != 1) {

            return 
false;

        }

        return 
$user[0];

    }

//End: Autologin hack


file include/checklogin.php

//
if ($uname == '' || $pass == '') {
        
redirect_header(XOOPS_URL.'/user.php'1_US_INCORRECTLOGIN);
        exit();
}
if (
false != $user) {
//Begin: Autologin hack

        
if

(!empty(
$HTTP_POST_VARS['union_al'])&&($HTTP_POST_VARS['union_al']=='Yes')){

          
setcookie('al_pass'md5($pass),

time()+86400*100,'/','',0);

          
setcookie('al_uname'addslashes($uname),

time()+86400*100,'/','',0);

         };

//End: Autologin hack
        
if (== $user->getVar('level')) {
                
redirect_header(XOOPS_URL.'/index.php'5_US_NOACTTPADM);
                exit();
        }


file user.php

if ($op == 'logout') {
        
$message '';
        
$HTTP_SESSION_VARS = array();
        
session_destroy();
//Begin: Autologin hack

        
setcookie('al_pass'''time()-33600,'/','',0);

        
setcookie('al_uname'''time()-33600,'/','',0);

//End: Autologin hack
        
if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {
                
setcookie($xoopsConfig['session_name'], ''time()- 3600'/',  ''0);
        }


I think I should let you know that this hack is not the only alteration to the above mentioned files. I also have IBFM and 4images modules installed which also make changes to the common.php, checklogin.php and member.php. I don't know about user.php. I don't know if there may be a possible hack conflict but I thought it wouldn't hurt to mention the other file alterations just in case. I appreciate any help you can give me. If you need me to provide any other info like the complete .php files mentioned above, just let me know.


I am really looking forward to using this wonderful hack! Thanks AndreyRa for creating it and _masi for the wonderful idea!


9
AndreyRa
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 15:06

  • AndreyRa

  • Just popping in

  • Posts: 17

  • Since: 2003/3/16


So. As I also have thought (and even has written on a pair of minutes) - The problem consists that you have incorrectly updated Xoops.
You should use 2.0RC3 script, which number 2 differs step of installation.

I hope, that at you all will turn out. And if still something will get out - write.

10
robnelle
Re: Autologin for Xoops 2.0.x
  • 2003/6/21 15:27

  • robnelle

  • Just popping in

  • Posts: 14

  • Since: 2003/5/28


Oh! no problem! Whatever time is convenient for you. I have to go to work now anyway...

Oh by the way, If you want to check the site to see for yourself, the URL is http://nolatalk.com


Login

Username:
Password:

Lost Password? Register now!

Who's Online

71 user(s) are online (36 user(s) are browsing Support Forums)


Members: 0


Guests: 71


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jan 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits