Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Force re-login

edited June 2011 in Vanilla 2.0 - 2.8
Folks,

I'm a new user. I have a custom PHP application; I'm embedding Vanilla Forums into it using the embed plugin-in. I'm trying to configure single sign-on using ProxyConnect.

I've been working from the instructions on this site: http://vanillaforums.org/page/singlesignon

I'm *almost* there. Really really close. I created a page that responds to Vanilla request with the user data; it all works just fine.

Only one issue: credentials do not get "refreshed" automatically.

1) When I sign in to my application, Vanilla doesn't show me as signed in. As soon as I press the sign in button in Vanilla, it signs me in without requesting credentials.
2) When I log in as user 1 as described above, then log out of my application, and log back in as user 2, Vanilla shows me still logged in as user 1. When I press Log Off in Vanilla, then Log In in Vanilla, it shows me logged on as user 2.

Basically, what I need is a way to "force" Vanilla to re-authenticate the user. I'm very comfortable with PHP and JavaScript... I must be missing something really simple. Please help!

My application is at http://www.findtouch.com; my forum is at http://forum.findtouch.com.

Versions:
Vanilla 2.0.18b2
ProxyConnect 1.9.7

Thanks so much in advance! Such a great application!
Tagged:

Best Answer

  • edited June 2011 Answer ✓
    I figured it out - there was of course a simple setting on the Proxy Connect module configuration page :). After Vanilla cookies were on the ".findtouch.com" domain, I was able to simply do this in my login page:

    setcookie("Vanilla", "deleted", time() - 1,'/', ".findtouch.com", false); setcookie("Vanilla-Volatile", "deleted", time() - 1, '/', ".findtouch.com", false);

    Everything works perfectly now - thanks a bunch!

Answers

  • ToddTodd Chief Product Officer Vanilla Staff
    Vanilla has some flood control. I do believe that you can delete the Vanilla-Volatile cookie to force a refresh. If that doesn't work also delete the Vanilla cookie.

    Since Vanilla's name is in the config you may have different cookie names, but the default is Vanilla.
  • Thanks so much for a speedy reply, Todd!

    Deleting the cookies named "Vanilla" and "Vanilla-Transient" indeed forced re-authentication. One remaining issue: these two cookies belong to the domain forum.findtouch.com; the code that's trying to delete them is running from the context of my application (www.findtouch.com domain). Is there a way to make the Vanilla session cookies come from the ".findtouch.com" domain so that my application code can access it?

    Thanks!
    -Alex
  • edited June 2011 Answer ✓
    I figured it out - there was of course a simple setting on the Proxy Connect module configuration page :). After Vanilla cookies were on the ".findtouch.com" domain, I was able to simply do this in my login page:

    setcookie("Vanilla", "deleted", time() - 1,'/', ".findtouch.com", false); setcookie("Vanilla-Volatile", "deleted", time() - 1, '/', ".findtouch.com", false);

    Everything works perfectly now - thanks a bunch!
  • Hi, I have very similar symptoms as described in the OP, and am using the same versions:

    Vanilla 2.0.18b2
    ProxyConnect 1.9.7

    My application is currently on my local machine, and I think my issues must have something to do with the cookie domain. I tried the solution from alex in my login script, but it doesn't seem to make any difference. Here's the relevant lines in my login script:

    [code]
    $value = "something from somewhere";
    setcookie("ismycookieshowing", $value, time()+3600, "/", ".localhost");
    setcookie("Vanilla", "deleted", time() - 1,'/', ".localhost", false);
    setcookie("Vanilla-Volatile", "deleted", time() - 1, '/', ".localhost", false);
    [/code]

    Here's what I have in my logout script:

    [code]
    <?php
    session_start();
    session_destroy();
    setcookie('Vanilla', ' ', time() - 3600, '/', '.localhost');
    unset($_COOKIE['Vanilla']);
    setcookie("ismycookieshowing", $value, time() - 3600, "/", ".localhost");
    unset($_COOKIE['ismycookieshowing']);
    header("Location: front_page.php"); /* Redirect browser */
    ?>
    [/code]

    And in the proxyconnect settings page in the vanilla dashboard:
    [code]
    Vanilla Cookie Domain
    Currently: localhost
    [/code]

    But I have also tried ".localhost", "/" and leaving it blank. Here's where it gets weird. If I have this set to "/" or blank then it behaves much like the OP. If I have it set as "localhost" or ".localhost" then it appears to work quite well in refreshing the user in vanilla when I log in and out of my application... except proxyconnect no longer recognises new users going to the forum for the first time and instead brings up vanilla's signup page:(http://localhost/my_application_folder/forums.php#/dashboard/entry/auth/password), even though the user is already signed in with my application and I have the sign in url configured in the settings as http://localhost/my_application_folder/front_page.php

    So... a bit confusing really. I can either have it recognise new users and not swap them when they log in and out via my application, or I can have them swap around as they should but not recognise new users...

    Any help?




  • Here's some more interesting symptoms of the problem...

    When the cookie domain is set as .localhost or localhost the sign-out link in vanilla (which is embedded in my application) doesn't redirect to my logout page/script. In fact, it doesn't log people out, it just sends people back to the vanilla home page, which I have set as categories/all. I'm not sure whether it in fact is logging people out, but then detecting that they are still logged in with my application and then automatically relogging them into vanilla or not.

    When the cookie domain is set as blank or "/" then the sign out link in vanilla does work, but it only signs them out from vanilla, leaving them signed into my application.

    When the cookie domain is blank or "/" and I try logging into my application from a new tab or a new window, the problem persists in that vanilla still shows the last person logged on rather than the new user that just logged in via the application. However, if I close the window and open again via selecting "new session" in the file menu of internet explorer, then I log into my application and go to the vanilla forum, everything works as I would expect it.

    This really does look like a failiure to delete the vanilla cookies on logging out from my application... but where am I going wrong?
Sign In or Register to comment.