Not sure if this belongs in Coding = Questions and issues related to coding (HTML/CSS/Javascript/PHP or Fortran),
or Modifications?
PHP Code:
if (secure_cookie_value = "Firefox Wins")
{action = 'Let him into MyBB now!!' ; }
|
Please, point me in the right direction, and I can figure the rest out:
For simplicity: Assume account(s) are already created and secure login (setting a non-MyBB cookie) is done over SSL*
*Which might cause issues reading the secure cookie over plain http
How to:
Getting MyBB to eat a Yummier Cookie?
a) User already exists in the MyBB database.
b) "Secure cookie" is set and has built in protection against session hijacking.
c) I already know how to do an "SSO type" of auto-login using MyBB's functions, but then logout won't be based on "Secure cookie", it would be "a normal logout."
d) Where do I start to get MyBB to accept a replacement "Secure cookie" for login and logout?
I know sessions are stored in the db; What I'm looking to do is have "virtually everything else the same" , while MyBB accepts "Secure (outside) cookie" instead of the normal one.
Any tips on where to start?
Thank you, for helpful advice.
I lost you. Are you trying to do SSO?
If you're loading sessions from outside MyBB, you'll just need to authenticate using whatever method you're using, and then perhaps hijack the session on the MyBB side. Or you can just simply send the MyBB authentication cookie once the user has authenticated.
Edit #2: If there is a fairly easy answer to "the green section" (below), then I'd be glad to learn; If not, "the other way" is at the bottom of this post.
^^^^^^^
Thanks for the quick answer, Zinga:
I lost you...
(For example), I'm logged into MyBB and close the browser, then tomorrow I return and I'm still logged in.
The moment a session is re-established and MyBB "decides" I'm still logged in (or just logged in,
whatever) --> How to get the system to accept a different cookie?*
*Edit: That was poorly worded:
"How to get the system to accept a cookie w/ a different name, not myBB's standard cookie name?"
Are you trying to do SSO?
Yes
...Or you can just simply send the MyBB authentication cookie once the user has authenticated.
No, when "Secure (outside) cookie" expires then the end-user needs to be automatically logged out of MyBB, that is why I don't want to use the MyBB authentication cookies.
The other way:
If (user 'is logged in' && 'currently active*' && $sso_security_check_time = 1*)
{check sso_cookie ;
.....
}
* If someone is still logged into $global_sso, then their session (and MyBB cookie) is
not affected;
If someone
chooses to be logged out from $global_sso, then their MyBB cookie will also be logged out / expired.
Radically changing the system (like I assumed would need to be done) is too hard, especially when there is a much easier way.
Thanks again.
Why can't you just expire the MyBB cookie in the same way you expire the other cookie? Logging out of your SSO thing can simply just send a logout cookie for MyBB too.
That seems to be the easiest way to me.
Use this tool to determine your cookie settings:
dennistt.net/mybb/cookiesettings.php
Regards