X-Cart forums - Making it so they don't have to re-login everytime

X-Cart forums (https://forum.x-cart.com/index.php)

- Dev Questions (https://forum.x-cart.com/forumdisplay.php?f=20)

- - Making it so they don't have to re-login everytime (https://forum.x-cart.com/showthread.php?t=2752)

Quote:

Originally Posted by Jon

Thanks. I plan on creating a new reality TV show: The making of an automatic login script :P

Definitely a cookies issue here, password will likely need to be written to a cookie and verified as well, however that could create a security issue in that the password can be pulled from the cookie.

If that's true it means you gotta encrypt the password - ugh.

Got that worked out.

The crypted password is stored as a variable, so I stored it in a cookie. I then included the login, logintype, and password to query the database. Since the password in the database is crypted, I didn't have to decrypt it. If the query returns null, the person is not logged in.

Changes to previous code:

reset_cookie.php

Code:

<?



// Set cookie with login name

$savelogin = "";

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = "";

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);

$saveloginpass = "";

setcookie("LoginPassCookie", $saveloginpass, time()+3600*24*180, "/", $xcart_http_host);

?>

set_cookie.php

Code:

<?



// Set cookie with login name

$savelogin = $user_data['login'];

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = C;

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);

$saveloginpass = $user_data['password'];

setcookie("LoginPassCookie", $saveloginpass, time()+3600*24*180, "/", $xcart_http_host);



?>

include/check_useraccount.php

Code:

$LoginCookie = $_COOKIE['LoginCookie'];

$LoginTypeCookie = $_COOKIE['LoginTypeCookie'];

$LoginPassCookie = $_COOKIE['LoginPassCookie'];



$user_data=func_query_first("select * from $sql_tbl[customers] where login='$LoginCookie' and usertype='$LoginTypeCookie' and status='Y' and password='$LoginPassCookie'");



if (!empty($user_data) && $LoginCookie != "" && $LoginTypeCookie == "C") {

$login = $LoginCookie;

$login_type = $LoginTypeCookie;

$logged = $login;

}

This is definitely a worthy mod. Can someone bump this to the Custom Templates. Also, have you check to see if this works after implementation? I would like to use this, but don't want to risk hacking my site to screw something else up. Thanks for you hard work and for posting it. :)

Chris

I installed this and it seemed to work just great.
Actually it worked perfect!
But, our worst dreams have come true. There is a major security flaw.
If you go on the website and login and then go to /admin you are logged in as admin as a normal user.
From there I was able to access admin functions and look at orders, make product changes... Not good!
ACK!

Sorry, i did find that error in my beta testing but didn't think to post up the fix.

I believe I fixed this by adding current_area to my check_useraccount.php

Code:

<?

#

# $Id: check_useraccount.php,v 1.12.2.4 2002/12/11 12:29:10 svowl Exp $

#

# This script authenticates user (session variables "login" and "login_type"

#

if ($HTTP_POST_VARS["login"] || $HTTP_GET_VARS["login"] || $HTTP_COOKIE_VARS["login"] || $HTTP_POST_VARS["login_type"] || $HTTP_GET_VARS["login_type"] || $HTTP_COOKIE_VARS["login_type"]) {

    header("Location: ../shop/error_message.php?access_denied");

    exit();

} 



if ($_REQUEST["login"]) {

    header("Location: ../home/error_message.php?access_denied");

    exit();

}



if ($login_type!=$current_area && !empty($login)) {

    $logged=$login;

    $login="";

}

elseif ($login_type==$current_area && !empty($logged)) {

        $login=$logged;

        $logged="";

}



if ($current_area == "C") {

        $LoginCookie = $_COOKIE['LoginCookie'];

        $LoginTypeCookie = $_COOKIE['LoginTypeCookie'];

        $LoginPassCookie = $_COOKIE['LoginPassCookie'];

        $user_data=func_query_first("select * from $sql_tbl[customers] where login='$LoginCookie' and usertype='$LoginTypeCookie' and status='Y' and password='$LoginPassCookie'");

}





if (!empty($user_data) && $LoginCookie != "" && $LoginTypeCookie == "C") {

$login = $LoginCookie;

$login_type = $LoginTypeCookie;

$logged = $login;

}



session_register("login"); 

session_register("login_type");

session_register("logged");







if($login) {

        $user_account=func_query_first("select login, membership from $sql_tbl[customers] where login='$login'");

        $name=func_query_first("select firstname,lastname from $sql_tbl[customers] where login='$login'");

        if(empty($user_account)) {

                $login="";

                $login_type="";

        }

}



$smarty->assign("login",$login);

$smarty->assign("name",$name);

$smarty->assign("usertype",$current_area);



?>

^^ The last part of that code I use to change the welcome back message, as I didn't want to greet them by their login name. Instead: Welcome back, firstname lastname!

If you want to use that as well, you can edit your authbox.tpl to use:

Code:

Welcome back,

{$name[0]} {$name[1]}!

I believe that takes care of everything. If anybody sees anything else, please let me know asap.

I tried this feature, and I followed every step, including the updates for security, and this is what happened

Code:

Warning: Failed opening '../modules/Save_Login/set_cookie.php' for inclusion (include_path='.;c:\php4\pear') in W:\www-toonarific\xcart\include\login.php on line 80



Warning: Cannot add header information - headers already sent by (output started at W:\www-toonarific\xcart\include\login.php:80) in W:\www-toonarific\xcart\modules\Greet_Visitor\set_cookie.php on line 39



Warning: Cannot add header information - headers already sent by (output started at W:\www-toonarific\xcart\include\login.php:80) in W:\www-toonarific\xcart\include\func.php on line 163

I reverted back to the normal state until this error goes away. Any help is greatly appreciated.

nevermind. I found my error

One major bug I found

if a customer doesn't check the box, no matter how many times they try and login, it doesnt recognize them. only after they check the box does the store realize they want to log in