X-Cart forums - Making it so they don't have to re-login everytime

X-Cart forums (https://forum.x-cart.com/index.php)

- Dev Questions (https://forum.x-cart.com/forumdisplay.php?f=20)

- - Making it so they don't have to re-login everytime (https://forum.x-cart.com/showthread.php?t=2752)

Making it so they don't have to re-login everytime

I have some visitors complaining about having to re-login everytime they come back.

How difficult is it to keep them logged in until they log out. Maybe set a cookie that gets read upon return and creates the session?

Sorry i can not help you with a solution, but i would be verry carefull
with this. What happens if somebody stays logged in at the office or
such? Especially when you store creditcard information it can lead to
verry unpleasant situations. Who will be responsible if other people
start bying on his account?

Cheers Eddie

Yup, I understand the possible ramifications.

I NEVER store credit card information on my records, I just don't want that responsibility, and the user takes responsibility for their account in our terms of service. :wink:

If you change inlcude/check_useraccount.php: from

Code:

session_register("login");

session_register("login_type");

Code:

session_set_cookie_params(15552000);

session_register("login");

session_register("login_type");

That will save their session for 6 months - but I would warn against it for all the same reasons as highlighted.

Would it be possible to add a check box next to the login box
[X] Remember my Password

?

That's a good idea, and then maybe have a javascript popup warning when they check it.

I'll work on this tonight and see what I can come up with, don't see why it wouldn't be doable.

Cool!!! Keep us updated on your progress. Something like that would be very usefull!

yeah, that sounds really good, if you get the code for it, please share :)

session_set_cookie_params(15552000);

Adding that does not seem to work to keep sessions.

I can do the logistics of the checkbox, and what not, but I'm having difficulty getting it to set the extended cookie, and I need to do that first. :)

Quote:

Originally Posted by funkydunk

Code:

session_set_cookie_params(15552000);

session_register("login");

session_register("login_type");

Definitely doesn't work, any other thoughts?

My assumption is that you need to set a seperate cookie, and then read from that cookie to start a new session when they return.

Ok. So we set a cookie:

Create a sub-folder in the Modules folder called: Save_Login

Create a file in the sub-folder called: set_cookie.php and put this code in it:

Code:

// Set cookie with login name

$savelogin = $user_data['login'];

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = C;

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);

Then open /include/login.php and find this code:

Code:

db_query("update $sql_tbl[customers] set last_login='".time()."' where login='$login'");

db_query("insert into $sql_tbl[login_history] (login, date_time, usertype, action, status, ip) values ('$username',now(),'$usertype','login','success','$REMOTE_ADDR')");

AFTER that put:

Code:

#

# Set Remember Login Cookie

#



if ($login_type == "C") { include "../modules/Save_Login/set_cookie.php"; }

If the person is a customer, they now have a LoginCookie set under the domain name containing "username" and "logintype" where C is the userlevel, set to expire in 6 months.

Now we need to read from that cookie. (I'm documenting the process but don't believe this code to be correct until the process is finished).

Looks like there's some protection in check_useraccount.php against faking cookies or session variables:

Code:

if ($HTTP_POST_VARS["login"] || $HTTP_GET_VARS["login"] || $HTTP_COOKIE_VARS["login"] || $HTTP_POST_VARS["login_type"] || $HTTP_GET_VARS["login_type"] || $HTTP_COOKIE_VARS["login_type"]) {

    header("Location: ../customer/error_message.php?access_denied");

    exit();

}

Please be encourage to make this monologue a dialogue ;)

Got it to work, will post full modification for feedback, criticism and security checks shortly.

Here's what's needed. I'm using I beleive 3.2.2, not positive on that.

Create a sub-folder in the Modules folder called: Save_Login

Create a file in the sub-folder called: set_cookie.php and put this code in it:

Code:

<?



// Set cookie with login name

$savelogin = $user_data['login'];

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = C;

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);



?>

Create another file in that subfolder called: reset_cookie.php with this code in it:

Code:

<?



// Set cookie with login name

$savelogin = "";

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = "";

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);



?>

Open include/check_useraccount.php and change to look like this:

Code:

<?

#

# $Id: check_useraccount.php,v 1.12.2.4 2002/12/11 12:29:10 svowl Exp $

#

# This script authenticates user (session variables "login" and "login_type"

#

if ($HTTP_POST_VARS["login"] || $HTTP_GET_VARS["login"] || $HTTP_COOKIE_VARS["login"] || $HTTP_POST_VARS["login_type"] || $HTTP_GET_VARS["login_type"] || $HTTP_COOKIE_VARS["login_type"]) {

    header("Location: ../customer/error_message.php?access_denied");

    exit();

} 



if ($login_type!=$current_area && !empty($login)) {

    $logged=$login;

    $login="";

}

elseif ($login_type==$current_area && !empty($logged)) {

        $login=$logged;

        $logged="";

}



$LoginCookie = $_COOKIE['LoginCookie'];

$LoginTypeCookie = $_COOKIE['LoginTypeCookie'];

if ($LoginCookie != "" && $LoginTypeCookie == "C") {

$login = $LoginCookie;

$login_type = $LoginTypeCookie;

$logged = $login;

}



session_register("login"); 

session_register("login_type");

session_register("logged");



if($login) {

        $user_account=func_query_first("select login, membership from $sql_tbl[customers] where login='$login'");

        if(empty($user_account)) {

                $login="";

                $login_type="";

        }

}



$smarty->assign("login",$login);

$smarty->assign("usertype",$current_area);



?>

Open up /include/login.php and find where it says this:

Code:

# 1) generate $last_login by current timestamp and update database

# 2) insert entry into login history 

#   

                db_query("update $sql_tbl[customers] set last_login='".time()."' where login='$login'");

                db_query("insert into $sql_tbl[login_history] (login, date_time, usertype, action, status, ip) values ('$username',now(),'$usertype','login','success','$REMOTE_ADDR')");

AFTER that, add this:

Code:

#

# Set Remember Login 

#

if ($login_type == "C" && $remember == "Y") { include "../modules/Save_Login/set_cookie.php"; }

Also in include/login.php find this:

Code:

if($mode=="logout") { 

#

# Insert entry into login_history

#

        db_query("insert into $sql_tbl[login_history] (login, date_time, usertype, action, status, ip) values ('$login',now(),'$login_type','logout','success','$REMOTE_ADDR')");

AFTER that add:

Code:

include "../modules/Save_Login/reset_cookie.php";

Open up skin1/auth.tpl (Note: I believe I've made some slight changes to this file, maybe just adding the "navlink" class). File should look similar to this:

Code:

{* $Id: auth.tpl,v 1.19 2002/09/10 12:36:33 zorg Exp $ *}



{literal}

<script LANGUAGE="JavaScript">

<!--

function confirmSubmit() {

if (document.authform.remember.checked == true) {

alert("By choosing to remain logged in all the time, others on your computer can access your account. Though we will never store credit card information, you will be held responsible for any orders placed on your account. In the future you can log out by clicking: Logoff");

document.authform.submit();

}

}

// -->

</script>

{/literal}

<TABLE border=0 cellPadding=5 cellSpacing=0 width=100%>

<FORM action=../include/login.php method=post name=authform>



<tr><td class="TableRight" colspan=2>

{if $usertype eq "C" or ($usertype eq "B" and $config.Modules.partner_register eq "Y")}<font face="verdana" size="1">Register Free|{/if}Lost Pass</font>

</td></tr>

<tr><td class="TableRight" colspan=2>

<font class="TableRight">{$lng.lbl_username}</font>




<input type=text name=username size=16 class="box">




<font class="TableRight">{$lng.lbl_password}</font>




<input type=password name=password size=16 class="box">




<input type=hidden name=mode value=login>

{if $active_modules.Simple_Mode ne "" and $usertype ne "C" and $usertype ne "B"}

<input type=hidden name=usertype value="P">

{else}

<input type=hidden name=usertype value="{$usertype}">

{/if}

<input type=hidden name=redirect value="{$redirect}">






<input type="checkbox" name="remember" value="Y"> <font size="1">Remember Me</font>



</td></tr>

<tr>

<td height=20 valign="bottom" colspan="2" class="TableRight"> 

<a class="navlink" onclick="confirmSubmit()">{include file="buttons/login_menu.tpl"}</a>



</td>

</tr>

</form>

</table>

I'm by no means a programming expert, anybody see any security flaws.

There might be an issue with being able to fake cookies.

Been watching your posts for a while now. I haven't dissected the code yet, but regardless of the outcome - kudos on the work.

Thanks. I plan on creating a new reality TV show: The making of an automatic login script :P

Definitely a cookies issue here, password will likely need to be written to a cookie and verified as well, however that could create a security issue in that the password can be pulled from the cookie.

Quote:

Originally Posted by Jon

Thanks. I plan on creating a new reality TV show: The making of an automatic login script

Oh yeah? I heard FOX was going to produce it

Quote:

Originally Posted by Jon

If that's true it means you gotta encrypt the password - ugh.

Got that worked out.

The crypted password is stored as a variable, so I stored it in a cookie. I then included the login, logintype, and password to query the database. Since the password in the database is crypted, I didn't have to decrypt it. If the query returns null, the person is not logged in.

Changes to previous code:

reset_cookie.php

Code:

<?



// Set cookie with login name

$savelogin = "";

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = "";

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);

$saveloginpass = "";

setcookie("LoginPassCookie", $saveloginpass, time()+3600*24*180, "/", $xcart_http_host);

?>

set_cookie.php

Code:

<?



// Set cookie with login name

$savelogin = $user_data['login'];

setcookie("LoginCookie", $savelogin, time()+3600*24*180, "/", $xcart_http_host);

$savelogintype = C;

setcookie("LoginTypeCookie", $savelogintype, time()+3600*24*180, "/", $xcart_http_host);

$saveloginpass = $user_data['password'];

setcookie("LoginPassCookie", $saveloginpass, time()+3600*24*180, "/", $xcart_http_host);



?>

include/check_useraccount.php

Code:

$LoginCookie = $_COOKIE['LoginCookie'];

$LoginTypeCookie = $_COOKIE['LoginTypeCookie'];

$LoginPassCookie = $_COOKIE['LoginPassCookie'];



$user_data=func_query_first("select * from $sql_tbl[customers] where login='$LoginCookie' and usertype='$LoginTypeCookie' and status='Y' and password='$LoginPassCookie'");



if (!empty($user_data) && $LoginCookie != "" && $LoginTypeCookie == "C") {

$login = $LoginCookie;

$login_type = $LoginTypeCookie;

$logged = $login;

}

This is definitely a worthy mod. Can someone bump this to the Custom Templates. Also, have you check to see if this works after implementation? I would like to use this, but don't want to risk hacking my site to screw something else up. Thanks for you hard work and for posting it. :)

Chris

I installed this and it seemed to work just great.
Actually it worked perfect!
But, our worst dreams have come true. There is a major security flaw.
If you go on the website and login and then go to /admin you are logged in as admin as a normal user.
From there I was able to access admin functions and look at orders, make product changes... Not good!
ACK!

Sorry, i did find that error in my beta testing but didn't think to post up the fix.

I believe I fixed this by adding current_area to my check_useraccount.php

Code:

<?

#

# $Id: check_useraccount.php,v 1.12.2.4 2002/12/11 12:29:10 svowl Exp $

#

# This script authenticates user (session variables "login" and "login_type"

#

if ($HTTP_POST_VARS["login"] || $HTTP_GET_VARS["login"] || $HTTP_COOKIE_VARS["login"] || $HTTP_POST_VARS["login_type"] || $HTTP_GET_VARS["login_type"] || $HTTP_COOKIE_VARS["login_type"]) {

    header("Location: ../shop/error_message.php?access_denied");

    exit();

} 



if ($_REQUEST["login"]) {

    header("Location: ../home/error_message.php?access_denied");

    exit();

}



if ($login_type!=$current_area && !empty($login)) {

    $logged=$login;

    $login="";

}

elseif ($login_type==$current_area && !empty($logged)) {

        $login=$logged;

        $logged="";

}



if ($current_area == "C") {

        $LoginCookie = $_COOKIE['LoginCookie'];

        $LoginTypeCookie = $_COOKIE['LoginTypeCookie'];

        $LoginPassCookie = $_COOKIE['LoginPassCookie'];

        $user_data=func_query_first("select * from $sql_tbl[customers] where login='$LoginCookie' and usertype='$LoginTypeCookie' and status='Y' and password='$LoginPassCookie'");

}





if (!empty($user_data) && $LoginCookie != "" && $LoginTypeCookie == "C") {

$login = $LoginCookie;

$login_type = $LoginTypeCookie;

$logged = $login;

}



session_register("login"); 

session_register("login_type");

session_register("logged");







if($login) {

        $user_account=func_query_first("select login, membership from $sql_tbl[customers] where login='$login'");

        $name=func_query_first("select firstname,lastname from $sql_tbl[customers] where login='$login'");

        if(empty($user_account)) {

                $login="";

                $login_type="";

        }

}



$smarty->assign("login",$login);

$smarty->assign("name",$name);

$smarty->assign("usertype",$current_area);



?>

^^ The last part of that code I use to change the welcome back message, as I didn't want to greet them by their login name. Instead: Welcome back, firstname lastname!

If you want to use that as well, you can edit your authbox.tpl to use:

Code:

Welcome back,

{$name[0]} {$name[1]}!

I believe that takes care of everything. If anybody sees anything else, please let me know asap.

I tried this feature, and I followed every step, including the updates for security, and this is what happened

Code:

Warning: Failed opening '../modules/Save_Login/set_cookie.php' for inclusion (include_path='.;c:\php4\pear') in W:\www-toonarific\xcart\include\login.php on line 80



Warning: Cannot add header information - headers already sent by (output started at W:\www-toonarific\xcart\include\login.php:80) in W:\www-toonarific\xcart\modules\Greet_Visitor\set_cookie.php on line 39



Warning: Cannot add header information - headers already sent by (output started at W:\www-toonarific\xcart\include\login.php:80) in W:\www-toonarific\xcart\include\func.php on line 163

I reverted back to the normal state until this error goes away. Any help is greatly appreciated.

nevermind. I found my error

One major bug I found

if a customer doesn't check the box, no matter how many times they try and login, it doesnt recognize them. only after they check the box does the store realize they want to log in

and is there a way to only have the 'remember me' check box appear on the customer's home page, and not the admin page?

Re: One major bug I found

Quote:

Originally Posted by toonarific

if a customer doesn't check the box, no matter how many times they try and login, it doesnt recognize them. only after they check the box does the store realize they want to log in

I haven't had this problem.

Quote:

Originally Posted by toonarific

and is there a way to only have the 'remember me' check box appear on the customer's home page, and not the admin page?

I have my admin section on a secure url, so I have seperate auth.tpl's.

You could probably just edit your auth.tpl with something like this:

Code:

{if $redirect ne "admin"}






<input type="checkbox" name="remember" value="Y"> <font size="1">Remember Me</font>

{else}

<input type="hidden" name="remember" value=""> 

{/if}

I just tried that. It does make the checkbox go away, but then when I try to login I get a cgi error. Also, I noticed that after I login with the checkbox, the only way it recoginzes when I logout is when I completely close the browser and reopen it.

I'm sure you've made errors in your coding.

I don't know how you get a cgi error when your working with php ?!?

Nice work, Jon.

I haven't looked at your code thoroughly, but right off the bat I'll give you some advice. The proper, secure way to store logins is to use sessions.

The only thing you store on the user's machine is a cookie with the SESSIONID. When that cookie expires, the user is logged out. You then store the username/password in the session that matches the SESSIONID in the cookie.

This way you don't need to work about encryption or any reverse engineering on the crypt method by a session hijacker.

Ideally, Xcart should leave the user logged in forever, but then authenticate if the user goes into sensitive areas like Checkout, Modify Profile, Modify Credit Card, etc. This is how most large sites do it (e.g. Amazon).

X-Cart does use sessions to store auth info. Sessions generally expire. That's the point of all this cookie talk. Nobody wants to store inactive sessions in their database for months on end.

Hmm, I had this working on 3.4.14 but can't get it to work on 3.5.x, anyone else have any luck using this for 3.5.x? If you did, can you please paste your code for login.php, check_useraccount.php and auth.tpl?

Thanks

Jon: I am anxious to try this mod, but I have 2 things I want to discuss first.

1: Does it work woth 4.0.X?
2: Can you please repost in a single post, all the codes needed to be changed? I tried to follow along, but there are fixes for fixes posted later in the thread. An all-in-one reply would be great, so we can just follow along in a single post rather than jumping all around.

And hey, thanks for the awesome job. People like you keep this place alive.

I don't know what versions it will work on, likely it would need adaptation for the 3.5.x and 4.0.x versions. I don't have time to work on this.

Jon