cotonti.com : Auth System

Trustmaster

Mo, 01 Mär 2010 23:10:23 -0000

The $_SESSION['cot_user_id'] variable will available in 0.6.7.

scriptor

Mo, 01 Mär 2010 17:36:53 -0000

okay the i wait because this script cant give me my user id when i´m logged in

Trustmaster

So, 28 Feb 2010 20:54:59 -0000

# scriptor : How to find the user id of an active session with an external script that don´t use the Cotonti Function?

This method is not very secure and can be faked with a cookie, but I'll explain it. First you need to get $cfg['mainurl'] from Cotonti's datas/config.php. Then you can get the user ID like this:

$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
if (!empty($_COOKIE[$site_id])) $u_data = $_COOKIE[$site_id];
elseif (!empty($_SESSION[$site_id])) $u_data = $_SESSION[$site_id];
else $u_data = false;

if ($u_data)
{
  // Get Cotonti user ID
  $u_data = explode(':_:', base64_decode($u_data));
  $cot_user_id = $u_data[0];
}
else
{
  // Not logged in
}

In Cotonti Siena there will be a session variable to get that ID in a more easy and reliable way.

GHengeveld

So, 28 Feb 2010 05:37:08 -0000

Interesting read, thanks for that Trustmaster.

scriptor

Di, 23 Feb 2010 19:26:29 -0000

How to find the user id of an active session with an external script that don´t use the Cotonti Function?

Trustmaster

Di, 23 Feb 2010 16:57:07 -0000

Yes, the authentication system is a bit complicated. The actual authenticating code (that checks user auth keys) is located in system/common.php at lines 201-311.

Here is a brief explanation of how it works.

First you login via users.php?m=auth. That script checks your username and password. If the login is successful, it creates the authentication keys, which consist of:

User ID
Password Hash. This is not just and MD5 hash of the password. It is actually
```
$passhash = md5($rmdpass.$hashsalt);
```
where $rmdpass is an MD5 hash of the password and $hashsalt is a random string that does not let an attacker to get a collision for your password if he has got the $passhash from your cookie

If you have chosen "remember me", authentication keys will be saved in cookie variable, otherwise a session variable is used. Variable name is $sys['site_id'], so it's unique for every site:

$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;

Putting all together, the auth keys are remembered like this:

$passhash = md5($rmdpass.$hashsalt);
$u = base64_encode($ruserid.':_:'.$passhash);

if($rremember)
{
	sed_setcookie($sys['site_id'], $u, time()+$cfg['cookielifetime'], $cfg['cookiepath'], $cfg['cookiedomain'], $sys['secure'], true);
}
else
{
	$_SESSION[$sys['site_id']] = $u;
}

Then goes another trick against client side request forgery: the hashsalt is changed every minute. To be more correct, there is a session variable that indicates when the hashsalt was last changed:

$_SESSION['saltstamp'] = $sys['now_offset'];

If $_SESSION['saltstamp'] is older than 1 minute, the hashsalt is changed during the request. It is changed both in user cookie/session and is also tracked in sed_users table in the column called user_hashsalt.

scriptor

Di, 23 Feb 2010 00:50:59 -0000

I want to know how the auth system from Cotonti works? Some scripts from seditio dont work with cotonti ans so i want to know how to request the user id and so