Started to look at this last night and this morning. Was getting
inconsistent result in what the plugin was storing. Seemed like the
username was getting messed up as I kept seeing weird entries in the
site.persist.login file.
Think there might be some incompatibility going on.
If I clear the site.persist.login file (empty) and login, checking the
remember me box. I get weird entries in the file like:
ain.admin: #######
Over time it ends up with
main.admin: #######
ain.admin: #######
admin: ######
sit.admin: #######
and more...
many of which are the page you were on when the function was hit like main
(most common).
If I put some debug statements in the BOLTXpersist function like:
...
$BOLTmember = BOLTfilter($BOLTarray['member'], 'csv');
$BOLTloginPages = BOLTconfig('BOLTloginPages');
$id = BOLTpageshortcuts("$BOLTloginPages.$BOLTmember");
$BOLTid = substr($id, strlen($BOLTloginPages) + 1);
$key = rand(1000000, 9999999); // key to help secure cookie
echo "BOLTarray <pre>";
print_r($BOLTarray['member']);
echo "</pre>";
echo "ID = " . $BOLTid . "<br>";
echo "BoldID = " . $BOLTid . "<br>";
echo "BOLTmember = " . $BOLTmember . "<br>";
setcookie('id', $BOLTid, $expires);
setcookie('key', $key, $expires);
when it gets there, I see why... in this case, I was on the main page when
it hit
BOLTarray
admin
ID = ain.admin
BoldID = ain.admin
BOLTmember = admin
It is somehow getting the page info into the userid...
Not sure why the $BOLTid would wan't to do anything with the page the user
is on, it should only be caring about what the user is.
It seems like it should be using BOLTmember as the id for the cookie and
saving to the site.persist.login file like:
setcookie('id', $BOLTmember, $expires);
setcookie('key', $key, $expires);
$page = 'site.persist.login';
$content = BOLTloadpage($page);
if (preg_match("/$BOLTmember\: (.*)/m", $content) > 0) $content =
preg_replace("/$BOLTmember\: (.*)/m", "$BOLTid: $key", $content);
else $content .= "\n$BOLTmember: $key";
BOLTsavepage($page, $content, '', false);
But even that is messing up:
adminain: ######
admin: #######
but I might be missing how this is really working (or just screwed it up)
don't know if it means anything but I am using it in the action.logout page
like:
! >>Logout<<
[if login]You are currently logged in as: **{member}**
[form]
[submit LOGOUT]
[session logout]
[session persist]
[form]
[else]You are not currently logged in.
[if]
and action.login page like:
! >>Login<<
[(persist)]
[if login]>>You are currently logged in as:<< **{member}**
[else]>>Please enter your member id and password:<<
[form]
[t]
[r]
[c]>>Member:<<
[c][text member]
[r]
[c]>>Password:<<
[c][password password]
[t]
[submit LOGIN] [check persist "+15 days"]Remember Me!
[session login]
[form] [if]
On Fri, Sep 25, 2009 at 3:55 PM, The Editor <[email protected]> wrote:
> Remember that
> in BoltWire, you can login with an exact match or an unencrypted match
> to an encrypted password. This is because BoltWire has an option for
> plain text passwords. So if I access the cookie file, I would have
> access to the account even without knowing the unencrypted
> password--because I have the exact match equivalent.
>
Understood... However the actual password itself is not stored as is in
the cookie. It is hashed first using a special salt code first. So even a
plain text password would be hashed in the cookie itself.
Before the cookie is saved, it does something like:
$savepass = hd5($cookieSalt . $userspass);
When the cookie is compared with the actual password, the process is done to
compare the results
Something like:
if ($savepass == hd5($cookieSalt . $userspass) ) ...
The cookieSalt would be site wide and stored either as a hard code in the
function itself, or better yet in site.config as
cookieSalt: SomeUniqueValue
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
