Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Authentication: cookies, and sessions. please help

ddumontddumont ✭✭
edited March 2011 in Vanilla 2.0 - 2.8
Can someone explain what the Vanilla-Volatile cookie is for?

Also, is there a way with Vanilla 2+ to include the Garden session classes so that I can check for valid sessions and stuff from php files not served up by garden?

Alternatively, is there a way to make a plugin/page in garden not print out any garden markup? I'm interested in using garden for access control, authentication, and session checking but I don't want it to format anything (data call).

There was an error rendering this rich post.


  • @Lincoln @Todd
    Can you comment at all on any of this?

    There was an error rendering this rich post.

  • LincLinc Detroit Admin
    edited March 2011
    I'm fairly certain Vanilla does auth via the cookie on every page, not by storing it in the session. You'll want to auth the cookie using the cookie hash in your config.php file.

    There are several response types available in Garden. I assume you're looking for DeliveryMethod=JSON or something similar in your post calls.
  • ddumontddumont ✭✭
    edited March 2011
    [removed... I'll discuss the exploit in PMs or email]

    There was an error rendering this rich post.

  • LincLinc Detroit Admin
    Wow... that's an embarassing security hole... this is ddumont btw
  • LincLinc Detroit Admin
    haha holy shit...
  • Well I guess I answered my own question about the security... I hope @Todd and @Mark will look at this.

    There was an error rendering this rich post.

  • ToddTodd Chief Product Officer Vanilla Staff
    I think Vanilla-Volatile is there so that we can keep you signed in, but still increment your visit counts.

    It's probably a little difficult to pull the files our necessary to grab the hash. It looks like you might be able to do the following:

    1. Include class.cookieidentity.php.
    2. Generate stubs for Gdn::Config() and ArrayValue(). We should actually switch Gdn::Config() to calls to C().

    You can easily not have any Garden markup. Just create a controller and echo stuff right in the method. If you want to use a view then set the master page to "none." That master page is in the dashboard application.
Sign In or Register to comment.