Forums / Cotonti / Support / Auth System

scriptor
#1 2010-02-23 00:50

Members

I want to know how the auth system from Cotonti works? Some scripts from seditio dont work with cotonti ans so i want to know how to request the user id and so
[url=http://www.freak-forum.de]Freak-Forum.de[/url] - The Freakstyle Community<br />
[url=http://www.adelmann-solutions.com]adelmann-solutions, webdesign Freiburg[/url]
Trustmaster
#2 2010-02-23 16:57

Administrators
Thanked: 263 times

Yes, the authentication system is a bit complicated. The actual authenticating code (that checks user auth keys) is located in system/common.php at lines 201-311.

Here is a brief explanation of how it works.

First you login via users.php?m=auth. That script checks your username and password. If the login is successful, it creates the authentication keys, which consist of:
  • User ID
  • Password Hash. This is not just and MD5 hash of the password. It is actually
    $passhash = md5($rmdpass.$hashsalt);
    where $rmdpass is an MD5 hash of the password and $hashsalt is a random string that does not let an attacker to get a collision for your password if he has got the $passhash from your cookie
If you have chosen "remember me", authentication keys will be saved in cookie variable, otherwise a session variable is used. Variable name is $sys['site_id'], so it's unique for every site:
$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;

Putting all together, the auth keys are remembered like this:
$passhash = md5($rmdpass.$hashsalt);
$u = base64_encode($ruserid.':_:'.$passhash);

if($rremember)
{
	sed_setcookie($sys['site_id'], $u, time()+$cfg['cookielifetime'], $cfg['cookiepath'], $cfg['cookiedomain'], $sys['secure'], true);
}
else
{
	$_SESSION[$sys['site_id']] = $u;
}

Then goes another trick against client side request forgery: the hashsalt is changed every minute. To be more correct, there is a session variable that indicates when the hashsalt was last changed:
$_SESSION['saltstamp'] = $sys['now_offset'];
If $_SESSION['saltstamp'] is older than 1 minute, the hashsalt is changed during the request. It is changed both in user cookie/session and is also tracked in sed_users table in the column called user_hashsalt.
May the Source be with you!
scriptor
#3 2010-02-23 19:26

Members

How to find the user id of an active session with an external script that don´t use the Cotonti Function?
[url=http://www.freak-forum.de]Freak-Forum.de[/url] - The Freakstyle Community<br />
[url=http://www.adelmann-solutions.com]adelmann-solutions, webdesign Freiburg[/url]
GHengeveld
#4 2010-02-28 05:37

Team
Thanked: 52 times

Interesting read, thanks for that Trustmaster.
Trustmaster
#5 2010-02-28 20:54

Administrators
Thanked: 263 times

# scriptor : How to find the user id of an active session with an external script that don´t use the Cotonti Function?
This method is not very secure and can be faked with a cookie, but I'll explain it. First you need to get $cfg['mainurl'] from Cotonti's datas/config.php. Then you can get the user ID like this:
$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
if (!empty($_COOKIE[$site_id])) $u_data = $_COOKIE[$site_id];
elseif (!empty($_SESSION[$site_id])) $u_data = $_SESSION[$site_id];
else $u_data = false;

if ($u_data)
{
  // Get Cotonti user ID
  $u_data = explode(':_:', base64_decode($u_data));
  $cot_user_id = $u_data[0];
}
else
{
  // Not logged in
}

In Cotonti Siena there will be a session variable to get that ID in a more easy and reliable way.
May the Source be with you!
scriptor
#6 2010-03-01 17:36

Members

okay the i wait :) because this script cant give me my user id when i´m logged in :(
[url=http://www.freak-forum.de]Freak-Forum.de[/url] - The Freakstyle Community<br />
[url=http://www.adelmann-solutions.com]adelmann-solutions, webdesign Freiburg[/url]
Trustmaster
#7 2010-03-01 23:10

Administrators
Thanked: 263 times

The $_SESSION['cot_user_id'] variable will available in 0.6.7.
May the Source be with you!