detecting succesfull coppermine logins detecting succesfull coppermine logins
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

detecting succesfull coppermine logins

Started by johnm1019, July 18, 2007, 08:20:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

johnm1019

I'm creating a custom site, and I am using coppermine for its photo abilities.  Because of this, I am going to use coppermine as a user/login manager.
How can I hook into the cookies or whatever after a user has logged in via coppermine to know in my application that a user is successfully logged in and grab their username?

The site is hosted as mydomain.com/app and the gallery is gallery.mydomain.com -- the two sites are also using the same database, as I dig through other parts of the coppermine database for photo stuff, so if I need to check a hash against the session table or something I can do that.


How do I do this?  What do I do with which cookies?

Nibbler

Generate the client_id, like so


                $this->client_id = md5($_SERVER['HTTP_USER_AGENT'].$_SERVER['SERVER_PROTOCOL'].$CONFIG['site_url']);


That is just an md5 hash of the user agent, protocol and site url.

That client_id is the name of the cookie you need to look for. When you read that cookie you get the sessioncookie.


                // Get the session cookie value
                $sessioncookie = $_COOKIE[$this->client_id];


Use that to generate the session_id using the client_id you had from before


                // Create the session id by concat(session_cookie_value, client_id)
                $session_id = $sessioncookie.$this->client_id;


The session_id stored in the sessions table is an md5 hash of the session_id you just calculated, so you can look that up and get the user_id from it.


                    // Check for valid session
                    $sql =  'select user_id from '.$this->sessionstable.' where session_id=md5("'.$session_id.'");';
                    $result = cpg_db_query($sql);


All code from bridge/coppermine.inc.php

johnm1019

Thank you!
You might sticky this because if you try and search for it, all your results are inundated with people looking to bridge coppermine to open-source platform xyz, rarely the other way around :).

johnm1019

For those who find this later a little more info for ya.

I have my site setup as subdomain1.whatever.com and subdomain2.whatever.com (one of those is for the gallery, the other for the application)

By default coppermine specifies no domain for the cookie so the default is used which is the complete gallery.mydomain.com
If you want the cookies to be readable across all subdomains, go into bridge/coppermine.inc.php and find the only line that has "setcookie" on it.

What is there is
setcookie( $this->client_id, $this->session_id, time() + (CPG_WEEK*2), $CONFIG['cookie_path'] );

change that to
setcookie( $this->client_id, $this->session_id, time() + (CPG_WEEK*2), '/', '.yourdomain.com' );

The default cookie path is / anyway IIRC but why take risks.

Now your app on app.yourdomain.com can read the cookie that was set by the gallery at gallery.yourdomain.com

Joachim Müller

Quote from: johnm1019 on July 23, 2007, 04:54:18 PM
The default cookie path is / anyway IIRC but why take risks.
There is only a risk if you don't own the domain, but are on a subdomain (like yoursubdomain.yourfreehost.tld). If the domain is yours, there is no risk and you should not mess with the cookie path.