How to encode a URL for auto-login How to encode a URL for auto-login
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

How to encode a URL for auto-login

Started by macnlos, November 07, 2007, 07:04:01 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

macnlos

November 07, 2007, 07:04:01 PM Last Edit: November 07, 2007, 10:15:28 PM by Nibbler
I've got family members within a secure website and I want to create a single link to transfer them into CPG.  I'm hoping there is some way to encode something like the following URL so the don't have to login.  Guest access is turned off on CPG, I don't want non-family members to view the gallerys.

LINK:  http://www.mysite.com/gallery/login.php?username=xxxxxx&password=yyyyyy

Is this possible and does someone have an example?  If not I could create a single button form page that would pass the variables with predefined values and mimic what the login.php does.

Thanks,
CR

macnlos

#1
November 07, 2007, 07:11:27 PM
Sorry about that URL link above...  It's not a real link, just a sample I did find it goes to some advertising based site.  I really didn't mean to do that...  :(

Nibbler

#2
November 07, 2007, 07:34:48 PM
If you are sure that you are aware of the security risks, you can mod login.php

Code Select

if (isset($_POST['submitted'])) {
    if ( $USER_DATA = $cpg_udb->login( addslashes($_POST['username']), addslashes($_POST['password']), isset($_POST['remember_me']) ) ) {


change the 3 $_POSTs to $_REQUESTs and add &submitted=yes to your sample link.

PS. When posting example links use example.com; it's reserved for that purpose.

macnlos

#3
November 07, 2007, 09:46:34 PM
That worked like a charm!  Here is what I changed for anyone else's reference:

<install-directory>/login.php

Code Select

if (isset($_REQUEST['submitted'])) {^M
    if ( $USER_DATA = $cpg_udb->login( addslashes($_REQUEST['username']), addslashes($_REQUEST['password']), isset($_REQUEST['remember_me']) ) ) {


From a URL perspective I'm now passing something like:
http://www.example.com/gallery/login.php?username=somebody&password=something&remember_me=1&submitted=yes

Joachim Müller

#4
November 08, 2007, 08:30:16 AM
Good to hear that this worked for you, and thanks for resolving your thread. Just for the benefit of others who might be looking for a similar thing: the solution posted in this thread is very, very bad in terms of security - passing a username and password along in the URL is a no-no unless you really know what you're doing and unless you have made sure to secure your entire gallery by other mechanisms. This hack is imo only for local family networks, but definitely not fit for usage on the www.
Print
Go Up Pages1
User actions