Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Session Names


I was wondering if anyone knew what the actual session names are that are used. I know how to call them, but I also need to know their names for other portions of my site.

Also, what sessions are used? I'm guessing when you login you get get a username session, userid session, and probably a password session. Any others?

Thanks for any help!


  • Options
    edited November 2008
    Look at library/People/People.Class.Session.php and library/People/People.Class.Authenticator (from memory, it's using $_SESSION['UserID'], $_SESSION['User'] and $_SESSION['SessionPostBackKey'] $_SESSION['LussumoUserID'] and $_SESSION['SessionPostBackKey']).
  • Options
    edited November 2008
    That is it? The only sessions that get set when you login are those 2?

    I looked that those 2 files and Authenticator was just messy (too many objects...) and the session one was using a variable ($Name) to set the sessions, but I don't know where that variable is set.

    Just tried looking again more closely at authenticator and found this: @$_SESSION[$this->Context->Configuration['SESSION_USER_IDENTIFIER']] = $UserID;

    Problem with that is I still don't know the name for it lol. I looked in settings.php and there is nothing in there that has to do with sessions.
  • Options
    I did check: $_SESSION['LussumoUserID'] and $_SESSION['SessionPostBackKey']
  • Options
    Ok, and what do those do?

    Is UserID just the account id? Like 1, 2, 3, etc?

    And is the PostBackKey just the url that the user was at before they went to login? (So they can be redirected to it once they login)
  • Options
    FormPostBackKey=$_SESSION['SessionPostBackKey'] should be added to all your form or Vanilla form won't be able to process a request. It is to prevent CSRF attacks.
  • Options
    There is just one session name - the default PHP session name, unless you override it in conf/settings.php. The default name is PHPSESSID. -- Jason
  • Options
    What does the SessionPostBackKey contain - is it a reference to my url? Can I use a plain text value such as "myvalue" or do I have to generate a particular value. (2b9121a30d....etc) The reason I ask is that I can query the database and obtain the UserID easily ( I know the users Name) so I can set the LussumoUserID value and enable my users to access the discussion area directly from my password protected application without having to log into the discussion board seperately Does that make sense ? Richard
Sign In or Register to comment.