append_sid()

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
lavarock09
Registered User
Posts: 22
Joined: Sat Apr 16, 2005 7:14 pm
Contact:

append_sid()

Post by lavarock09 »

hey Everyone,

I'm just doing sothing with integrating phpBB's login with my site,

but to have to logout link, I need a session ID (SID)

So I thought I'll use append_sid()

like this

Code: Select all

$logout = append_sid("login.php?logout=true");
echo '<a href="forums/' . $logout . '">Logout</a>
but it doesn't work,

Am I doing something wrong?

Chris

P.S.

I have done all this stuff

Code: Select all

define('IN_PHPBB', true);
$phpbb_root_path = './';
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);

//
// Start session management
//
$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);
//
// End session management
//
itsallgood
Registered User
Posts: 76
Joined: Wed May 05, 2004 8:54 pm

Post by itsallgood »

alright mate,

there's probbly 1000 reasons NOT to do this... but on one site i worked on, the only thing i could do was comment out this in login.php:

Code: Select all

		if ($sid == '' || $sid != $userdata['session_id'])
		{
			message_die(GENERAL_ERROR, 'Invalid_session');
		}
Removing, /* */ this out will stop the page checking if you have a session ID, but still log you out if your logged in.

This works, but use at own risk. :roll:

Hope it helps.

Regards.
<?php
I've Been Banned!
Posts: 7
Joined: Mon Apr 10, 2006 4:42 am

Post by <?php »

Or... You could manualy set the sid

Code: Select all

$logout = "login.$phpEx?logout=true&sid=" . $userdata['session_id'];
This is how it is appended for the acp link.

ie.

Code: Select all

$admin_link = ( $userdata['user_level'] == ADMIN ) ? '<a href="admin/index.' . $phpEx . '?sid=' . $userdata['session_id'] . '">' . $lang['Admin_panel'] . '</a><br /><br />' : '';
itsallgood
Registered User
Posts: 76
Joined: Wed May 05, 2004 8:54 pm

Post by itsallgood »

If he is on a page that could use $userdata['session_id'] ( a real phpbb page, or one under the "define('IN_PHPBB', true);")

the log-out button would work anyway using append_sid wouldnt it???

(I'm not sure though, i think this keeps your login details correct)


What i sugested was for pages not in phpbb, or not using php. Just plain html.

I used it in a flash application to logout.
<?php
I've Been Banned!
Posts: 7
Joined: Mon Apr 10, 2006 4:42 am

Post by <?php »

append_sid() is for users that dont have cookie enabled, It will only append the sid in this case.
klutch
Registered User
Posts: 5
Joined: Fri Mar 31, 2006 7:05 pm

Post by klutch »

I also have this same problem. All I could do was manually get the $SID. If append_sid() is only called if cookies are disabled, what should be used if cookies are enabled? Because either way, you need the sid in the link to logout.
User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Post by T0ny »

klutch wrote: I also have this same problem. All I could do was manually get the $SID. If append_sid() is only called if cookies are disabled, what should be used if cookies are enabled? Because either way, you need the sid in the link to logout.


This is how page_header.php constructs the logout link

Code: Select all

$u_login_logout = 'login.'.$phpEx.'?logout=true&sid=' . $userdata['session_id'];
klutch
Registered User
Posts: 5
Joined: Fri Mar 31, 2006 7:05 pm

Post by klutch »

Thanks T0ny, if I can't get append_sid() working, I will try manually adding the SID. It is just my understanding that append_sid() was to be used all the time.

From http://www.phpbb.com/kb/article.php?article_id=58:
Another question you may ask is "What if I need to use it in a form?"... append_sid() is used on ALL URLS. No exceptions. I cannot stress that enough.


From http://www.phpbb.com/kb/article.php?article_id=143:
Other Notes: * Although not required, it is highly recommended to append_sid() to all links in the pages. It is required that you append_sid() when linking back to the phpBB board itself.
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

Yes, you apply the function to all URL's.

No, the sid does not have to be visible. :-)

If cookies are allowed, then the sid is stored as a cookie. The append_sid() function takes care of putting the session on the URL only when needed but the append_sid() function is always needed. See the difference?

If you have users that allow cookies (most do) they will never see the sid. However, if you have one user that does not allow cookies, and you have one URL that is not processed by the append_sid() function, then when the user clicks that URL they will lose their session.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Post by T0ny »

klutch wrote: It is just my understanding that append_sid() was to be used all the time.


Yes, apart from the log out link :? which has to have the sid even if you're using cookies.

I think the reason for that is to protect against malicious users creating a link that will log anyone who follows it out. If they could then post it in a message (as an image src for example), it would log out everybody who viewed that message.
klutch
Registered User
Posts: 5
Joined: Fri Mar 31, 2006 7:05 pm

Post by klutch »

Ah, okay, that clears some things up for me. Thanks a lot :)
Post Reply

Return to “[2.0.x] MOD Writers Discussion”