How to retrieve username/password from existant session

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
z00om
Registered User
Posts: 23
Joined: Wed Nov 28, 2001 7:04 am
Contact:

How to retrieve username/password from existant session

Post by z00om » Sun Mar 17, 2002 9:42 pm

Hello,

I need the code to retrieve the username and password from the users existant session, because I wan't to incorperate their user data into the rest of my site. If anyone could help me out I would really appreciate it! I have never touched sessions in PHP so when I opened up the sessions file it all went RIGHT OVER my head! heh...

Also,
How to tell if they aren't logged in?
And, is the password in the session md5 encrypted or is it the actual thing?

Thanks!
-Scott

z00om
Registered User
Posts: 23
Joined: Wed Nov 28, 2001 7:04 am
Contact:

Post by z00om » Sun Mar 17, 2002 9:44 pm

hmm, it seems all I really need is the session id then I could grab their user_id from the DB and compare it, but.. how to get their session id? lol...
I'll experiment but your help, of course, is still appreciated! :)

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Sun Mar 17, 2002 10:01 pm

email me: hsim at gmx.li

z00om
Registered User
Posts: 23
Joined: Wed Nov 28, 2001 7:04 am
Contact:

Post by z00om » Sun Mar 17, 2002 10:18 pm

Okay, I have this...

It will not do session management but it WILL get their current session ID, which you can use to get their user_id!

Here is what I have, you end up with $session_id... most of the code is just taken from includes/session.php or whatever its named, I forgot, and then I use a non-phpbb standard way of tracking it back... It's nothing fancy, I don't use object oriented programming or anything, but it works.

Code: Select all

<?php 
mysql_connect("host","user","pass"); 
mysql_select_db("phpbb_db"); 
$query = "SELECT config_name,config_value FROM config WHERE config_name = 'cookie_name' OR config_name = 'cookie_path' OR config_name = 'cookie_domain' OR config_name = 'cookie_secure'"; 
$result = mysql_query($query); 
/* Not sure if this is still needed or not... */ 
	global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $SID; 
while($row = mysql_fetch_row($result)) { 
	if ($row[0] == "cookie_name") { 
	$cookiename = $row[1]; 
	} 
	if ($row[0] == "cookie_path") { 
	$cookiepath = $row[1]; 
	} 
	if ($row[0] == "cookie_domain") { 
	$cookiedomain = $row[1]; 
	} 
	if ($row[0] == "cookie_secure") { 
	$cookiesecure = $row[1]; 
	} 
} 

	if( isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ) { 
		$session_id = isset($HTTP_COOKIE_VARS[$cookiename . '_sid']) ? stripslashes($HTTP_COOKIE_VARS[$cookiename . '_sid']) : ""; 
	} else { 
		$session_id = ( isset($HTTP_GET_VARS['sid']) ) ? $HTTP_GET_VARS['sid'] : ""; 
	} 
echo $session_id; 
?>
that will output the current users session id, then you can query the db as such:

Code: Select all

SELECT user_id FROM sessions WHERE session_id = '$session_id'
that will then give you the users id, so you can do this:

Code: Select all

SELECT * FROM users WHERE user_id = $user_id
and boom! you now have ALL their user info! It would only be hackable if someone could grab your session id and plug it in somehow, so unless someone else says so (and if they do I'll bet their right) it's secure!

Anyone else have anything to add? change? suggestions? I'd appreciate it! :)

hsim
Registered User
Posts: 1554
Joined: Tue Oct 23, 2001 9:39 pm
Contact:

Post by hsim » Sun Mar 17, 2002 10:38 pm

1. this should go to the mods forums
2. have a look at the last post in the thread I linked above - I'm explaining how to use phpBB session code, you don't need the password, the username is stored in $userdata['username']
email me: hsim at gmx.li

z00om
Registered User
Posts: 23
Joined: Wed Nov 28, 2001 7:04 am
Contact:

Post by z00om » Sun Mar 17, 2002 10:58 pm

Yeah, that and since it doesn't do session management the session expires eventually and its useless. Thanks for the link...

Locked

Return to “2.0.x Support Forum”