Jump to content

Remotely verifying sessions


Recommended Posts

I'm stuck on a specific problem trying to link a phpBB forum with a processwire site. Both are held on separate machines but can communicate with each other fine.

I am easily able to validate a session on the phpBB side and log a user in on the processwire end if the session is valid and the user is linked.

I am, however, stuck on remotely validating a processwire login session from the phpBB end. Since this is not a phpBB support forum my (more generic) query therefore is:

Can I validate a file based processwire session remotely using nothing other than the Cookie stored session information? I have full access to both machines and can therefore work with static IP restricted pages etc, so security wise I'm not too worried, it's the how that baffles me at the moment.

Disclaimer: Yes, I did search the forum and no I did not find anything useful to the given problem although I may well have searched for the wrong things...


I got as far as this "idea"

Cookie data:

Check 'wire' and 'wire_challenge' are valid, if so extract the user_id from the session
Check the user_id is paired with a phpBB user on the pw system using the standard API, if so pass back the phpBB user id stored

(Run the auto login on the phpBB end using the returned id - this is surprisingly trivial...)

Link to comment
Share on other sites

  • 2 weeks later...

So after much head scratching and reading I've come up with the following solution - (minus the one pitfall I'm still working on as mentioned later):

  1. If a user access the "forum" domain, script checks for "site" cookies present
  2. If this is the case the script fires off a request to the site in the background with the cookie data being sent encrypted
  3. Server decrypts the cookie data, then fires off an internal request to the site with the cookie data sent using curl. Returns the user ID
  4. "forum" receives the site user id and "secret" key, then handles the request from there.

While not the most secure way of doing things this does mean that the fingerprinting can remain enabled and is only specifically disabled for local request. The sticking point was trying to pass the cookies through curl correctly.

One last (hopefully) simple issue - is there a way to change the cookie domain of the site to be .site.tld as opposed to site.tld in pw?

Link to comment
Share on other sites

In my Custom mod module (contains all the hooks that hook straight into the core, saving preventing me from modifying the core itself):

wire()->addHookBefore('Session::init', $this, 'sessionInit');
# Session::init
public function sessionInit() {

Works a charm. Would be nice to have a config setting that allows cookies to be available for subdomains or not as this would make pw easier to integrate into existing projects. Although it could be argued that hacking two systems together should be made as hard as possible to stop people from trying it.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...