cotonti.com : Auth System https://www.cotonti.com Neueste Themenbeiträge Cotonti en Sun, 19 Oct 2025 13:07:13 -0000 Trustmaster Mo, 01 Mär 2010 23:10:23 -0000 scriptor because this script cant give me my user id when i´m logged in :(]]> Mo, 01 Mär 2010 17:36:53 -0000 Trustmaster # scriptor : How to find the user id of an active session with an external script that don´t use the Cotonti Function?
This method is not very secure and can be faked with a cookie, but I'll explain it. First you need to get $cfg['mainurl'] from Cotonti's datas/config.php. Then you can get the user ID like this:
$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
if (!empty($_COOKIE[$site_id])) $u_data = $_COOKIE[$site_id];
elseif (!empty($_SESSION[$site_id])) $u_data = $_SESSION[$site_id];
else $u_data = false;

if ($u_data)
{
  // Get Cotonti user ID
  $u_data = explode(':_:', base64_decode($u_data));
  $cot_user_id = $u_data[0];
}
else
{
  // Not logged in
}

In Cotonti Siena there will be a session variable to get that ID in a more easy and reliable way.]]>
So, 28 Feb 2010 20:54:59 -0000
GHengeveld So, 28 Feb 2010 05:37:08 -0000 scriptor Di, 23 Feb 2010 19:26:29 -0000 Trustmaster system/common.php at lines 201-311.

Here is a brief explanation of how it works.

First you login via users.php?m=auth. That script checks your username and password. If the login is successful, it creates the authentication keys, which consist of:
  • User ID
  • Password Hash. This is not just and MD5 hash of the password. It is actually
    $passhash = md5($rmdpass.$hashsalt);
    where $rmdpass is an MD5 hash of the password and $hashsalt is a random string that does not let an attacker to get a collision for your password if he has got the $passhash from your cookie
If you have chosen "remember me", authentication keys will be saved in cookie variable, otherwise a session variable is used. Variable name is $sys['site_id'], so it's unique for every site:
$site_id = 'ct' . substr(md5($cfg['mainurl']), 0, 10);
$sys['site_id'] = $site_id;

Putting all together, the auth keys are remembered like this:
$passhash = md5($rmdpass.$hashsalt);
$u = base64_encode($ruserid.':_:'.$passhash);

if($rremember)
{
	sed_setcookie($sys['site_id'], $u, time()+$cfg['cookielifetime'], $cfg['cookiepath'], $cfg['cookiedomain'], $sys['secure'], true);
}
else
{
	$_SESSION[$sys['site_id']] = $u;
}

Then goes another trick against client side request forgery: the hashsalt is changed every minute. To be more correct, there is a session variable that indicates when the hashsalt was last changed:
$_SESSION['saltstamp'] = $sys['now_offset'];
If $_SESSION['saltstamp'] is older than 1 minute, the hashsalt is changed during the request. It is changed both in user cookie/session and is also tracked in sed_users table in the column called user_hashsalt.]]>
Di, 23 Feb 2010 16:57:07 -0000
scriptor Di, 23 Feb 2010 00:50:59 -0000