Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Grab TransientKey in parent website

Hello, how would I go about grabbing the vanilla TransientKey value from embeded forum (embed.js??)?

Thanks!
Donovan

Comments

  • Is it accessible from a cookie perhaps? The forum is located in subdirectory of the html root, so I should have access to the vanilla cookies from the main site.

    Donovan

  • donovanbdonovanb
    edited May 2017

    I discovered the TransientKey is located in the GDN_User table in the Attributes column. I can grab that column... but I then need to parse out the TransientKey value. This doesn't quite look like JSON... so any ideas on the best way to parse out the key? Here is an example of the Attributes value:

    a:1:{s:12:"TransientKey";s:16:"2FnVpajSusQ1J1Rp";}

    I need just the '2FnVpajSusQ1J1Rp' part!

  • R_JR_J Ex-Fanboy Munich Admin

    If you need it in JavaScript, you can get it like that: var transientKey = gdn.definition('TransientKey');. It is part of global.js

    From out Vanilla you can use methods in the session class (validateTransientKey, transientKey). If you have a user object, you can use UserModels getAttribute to extract the transientKey. But bear in mind that a user doesn't always have to have a transient key.

  • R_JR_J Ex-Fanboy Munich Admin

    @donovanb said:
    a:1:{s:12:"TransientKey";s:16:"2FnVpajSusQ1J1Rp";}

    I need just the '2FnVpajSusQ1J1Rp' part!

    That is a serialized array

  • R_J, excellent.. that was the missing the component. Just to follow up, here is my solution.. I could not find a more thin way to do this, but maybe there is one. "$row" is the row returned from the database.

                $AttrString = http_build_query(unserialize($row['Attributes']));
                parse_str($AttrString, $output);
                $vTKey = $output['TransientKey'];
    

    Regarding "user doesn't always have to have a Transient Key".. how do they log out then? It seems it is required.

  • out of interest what are you actually trying to do?

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Admin

    @donovanb said:
    Regarding "user doesn't always have to have a Transient Key".. how do they log out then? It seems it is required.

    That might have been not enough information: as far as I know a logged in user needs to have a transient key. Since I don't know how you use that, you need to take into consideration that your code above can generate an error if you try that for a user who isn't logged in: $output['TransientKey']; the key isn't defined in such a case.

  • @R_J said:

    @donovanb said:
    Regarding "user doesn't always have to have a Transient Key".. how do they log out then? It seems it is required.

    That might have been not enough information: as far as I know a logged in user needs to have a transient key. Since I don't know how you use that, you need to take into consideration that your code above can generate an error if you try that for a user who isn't logged in: $output['TransientKey']; the key isn't defined in such a case.

    Good point, but I don't think a user can get to this function without being logged in... but the testing phase is next... so will keep an eye open.

  • R_JR_J Ex-Fanboy Munich Admin

    You seem to work with the database, but not with Vanilla. Else you could use a helper function: val('TransientKey', $output);

  • @x00 said:
    out of interest what are you actually trying to do?

    After days of hacking out a good way of logging someone out of my website (single sign off).. the only decent method I could find was to first use vanilla's signout URL, then use it's target to redirect back to the main website logout. Now I can do a SSout from the main website. Seems to work fine.

    After we go live, I will try to make a tutorial on all of this.. because it was a weeks worth of work to get it all working.. embeded SSO with jsConnect and codeigniter.

  • x00x00 MVP
    edited May 2017

    if you are able to access the the database, then you are on the same server and presumably domain so you could simply delete the cookie by expiry.

    grep is your friend.

  • for those wanting the transient key via the client you can use this method

    $('<TransientKey>').load('https://open.vanillaforums.com/entry/signin?DeliveryType=VIEW #Form_TransientKey', function(){
        console.log($(this).children().first().val())
    });
    

    grep is your friend.

  • @x00 said:
    if you are able to access the the database, then you are on the same server and presumably domain so you could simply delete the cookie by expiry.

    Unfortunately that did not work for me... tried it several different ways.

Sign In or Register to comment.