Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

jsConnect not reading $_SESSION variables hence not logging in - Vanilla 2.1.6

ravimravim New
edited November 2014 in Vanilla 2.0 - 2.8

Hi, I am using the php test code from github. The test url in Vanilla's 'JS Connect Settings' works fine i.e. it shows a valid jsonp response with logged in member's name, email and id after I login to my site and session data is set. But when I try to visit the forum after login to my original site, which is in a different folder of the same domain, it doesn't show the name for logged in member. I've tried multiple times by clearing cookies but the test url always work and the real forum is unable to fetch the logged in session data and always shows the bogus name as defined in the below given code.

Here's the test code, that I modified a bit. Any help would be greatly appreciated.

require_once 'functions.jsconnect.php';

// 1. Get your client ID and secret here. These must match those in your jsConnect settings.
$clientID = "myclientid";
$secret = "myclientsecret";

// 2. Grab the current user from your session management system or database here.
$signedIn = true; // this is just a placeholder


// 3. Fill in the user information in a way that Vanilla can understand.
$user = array();

if(!isset($_SESSION["myusername"])) $_SESSION["myusername"]="bogus";
if(!isset($_SESSION["myemail"])) $_SESSION["myemail"]="";
if(!isset($_SESSION["myid"])) $_SESSION["myid"]=1002;

   $user['uniqueid'] = $_SESSION["myid"];
   $user['name'] = $_SESSION["myusername"];
   $user['email'] = $_SESSION["myemail"];
   $user['photourl'] = '';

// 4. Generate the jsConnect string.

// This should be true unless you are testing. 
// You can also use a hash name like md5, sha1 etc which must be the name as the connection settings in Vanilla.
$secure = false; 
WriteJsConnect($user, $_GET, $clientID, $secret, $secure);


  • Options

    Why are you passing credentials around like this anyway? You provably aren't reviving the session becuase is not the same session. Check for a named session.

    A lot of frameworks don't use session in this way. In fact they don't use php session at all and even if they did wit would contain all this data, instead they use hand-rolled secure methodologies like hmac.

    I mean you could simply use session variable to pass to vanilla negating the need for jsConnect, but it would not be all that secure.

    I suggest doing the normal authentication of the framework session. Then get the user data, then provide the credential all on request. This is less susceptible to highjacking and hanging sessions.

    However retrieving the credentials from as the Provider, this is your responsibility. As you are the trusted provider.

    grep is your friend.

Sign In or Register to comment.