COOKIE_SALT is no longer the license number since vB 3.8.4 [#734226]

I'm using vb 3.8.4 and I've gotten things to work so far except for a couple things.

By default vb's session timeout is 900 seconds or 15 minutes and drupal's cookie session lasts for a little over 23 days I believe. What happens in my case is I login and in 15 minutes, I will be logged out of vb, but still logged into drupal. If I try to login again, it won't work since the drupal session is still alive not allowing you to log in again. You would need to logout and then log back in again, but this process would repeat. My attempt to solve this was to use the automated logout module and set the drupal timeout to 900 seconds to match the vb session timeout. The problem with this is that browsing the site doesn't keep the forum session active and vice versa. For instance, if I set the timeout to 15 minutes and after 14 minutes I browse to another page in drupal, the session at that point will be extended 15 minutes, but the vb session won't be. So 2 minutes later (16 minutes total) if I try to browse the forum, I will be logged out, but still logged in to drupal. If I try to login to the forums, it won't work once again due to the drupal session still being alive so I'm back to square one it seems.

My other concern is regarding editing the user data. It says, "updating user data in vBulletin upon update in Drupal." What kind of user data would that refer to, is it only the username/email/password, or does it include other profile files, or things such as avatar and signatures? Also, since you must redirect them to drupal forms to edit email and password to sync with both systems, basically the me aliases module is a must have right? The readme says this is optional, but it seems necessary to me since if you edit your email or password through vbulletin it will only change your vb email and pass, but not drupal email and pass. Then there will be problems when trying to login. So with the me aliases module you would redirect users to the drupal edit email and pass form instead. However, this only occurs for the edit email and pass link on the left sidebar of vb. If you click edit your details, at the top of that page, there is also a input form button that says edit email and pass. If you click that edit button you won't be redirected to the drupal form and the user will end up changing his password for vb only and a whole bunch of problems will follow. What would be the best way to solve this, would you need to remove that button entirely?

Anyone else experience these issues and how did you solve them? Thanks.

Comments

Comment #1

taylormm CreditAttribution: taylormm commented 10 March 2010 at 00:53

Category:	support	» bug
Priority:	Normal	» Critical
Status:	Active	» Needs review

I modified drupalvb.module to fix this issue.
I modified the function drupalvb_login

Here is the original function:

function drupalvb_login() {
  global $user;

  if ($_POST['name']) {
    $form_state = array('values' => $_POST);
    if ($user->uid) {
      // If the user is already logged in to Drupal, we ensure the same for
      // vBulletin.
      if (drupalvb_login_validate(array(), $form_state)) {
        drupal_goto(!empty($_REQUEST['destination']) ? $_REQUEST['destination'] : 'user/'. $user->uid);
      }
      else {
	// Where do we go from here? user/login won't work, as the user is
        // already authenticated in Drupal.
        unset($_REQUEST['destination']);
        drupal_goto(variable_get('site_frontpage', 'node'));
      }
    }
    else {
      // Otherwise perform the full login procedure.
      foreach (user_login_default_validators() as $validator) {
        $validator(array(), $form_state);
      } 
      if (!form_get_errors()) {
        user_login_submit(array(), $form_state);
        $redirect = (isset($form_state['redirect']) ? $form_state['redirect'] : '');
        drupal_goto(!empty($_REQUEST['destination']) ? $_REQUEST['destination'] : $redirect);
      }
      else {
 	// Login failed: send back to login form.
        unset($_REQUEST['destination']);
        drupal_goto('user/login');
      }
    }
  }
}

Here is the new function:

function drupalvb_login() {
  global $user;
      
  if ($_POST['name']) {
    $form_state = array('values' => $_POST);
    if ($user->uid) {
      // If the user is already logged in to Drupal, we ensure the same for
      // vBulletin.
      if (drupalvb_login_validate(array(), $form_state)) {
        drupal_goto(!empty($_REQUEST['destination']) ? $_REQUEST['destination'] : 'user/'. $user->uid);
      }
    }

      // Otherwise perform the full login procedure.
      foreach (user_login_default_validators() as $validator) {
        $validator(array(), $form_state);
      }
      if (!form_get_errors()) {
        user_login_submit(array(), $form_state);
        $redirect = (isset($form_state['redirect']) ? $form_state['redirect'] : '');
        drupal_goto(!empty($_REQUEST['destination']) ? $_REQUEST['destination'] : $redirect);
      }
      else {
        // Login failed: send back to login form.
        unset($_REQUEST['destination']);
        drupal_goto('user/login');
      }
  }
}

I changed it so that if drupalvb_login_validate fails, it will just force a full login instead of redirecting them to the front page.
This way, if they go to the forum while drupal is logged in and they are logged out on the forum (because vbulletin's cookies have expired), it can just log them back in and redirect them back to the forum with new cookies (through the use of the ?destination= variable). Otherwise, the user is caught in a trap where they can't login to the forum because drupal has them marked as being logged in already.

I am not a security expert but I think this is okay.
I would love to hear feedback on this.

Comment #2

sun

German

Karlsruhe

CreditAttribution: sun commented 10 March 2010 at 01:15

Priority:	Critical	» Normal
Status:	Needs review	» Active

um, could you do a proper patch? See http://drupal.org/patch for more information.

Comment #3

Platinum CreditAttribution: Platinum commented 10 March 2010 at 03:46

Thanks taylormm, that seems to fix half of my problem for being not able to log in given that condition. Is there a workaround for the other half? Assuming your timeout is 900 seconds, or 15 minutes in both drupal and vb, and you login at 10:00 and browse the forums for 20 minutes, it's now 10:20 and your still logged in on the forums, but if you go back to visit the main site now, you'll be logged out (with this patch, you'll be logged out of both drupal and forums). Assuming instead you spent the 20 minutes browsing on drupal and now go to the forums, you'd be logged out of the forums, but still logged into drupal. Ideally I'd want it so that if your active on either drupal or the forums over the course of 15 minutes, you'd still be logged in both drupal and vb. And if you were inactive on both drupal and vb in that 15 minutes, then you'd be logged out of both. Is that doable?

Comment #4

rsuplido CreditAttribution: rsuplido commented 10 March 2010 at 21:01

I had the same problem and I've found something odd with vB 3.8.4. Go open [vb folder]/includes/functions.php and look at line 37. In older vB's, the COOKIE_SALT string is your license number. On 3.8.4 however, my copy shows a 39-character string. Anyway, if the string specified in line 37 is different than your license number, use this string instead as the "vBulletin license number" in Drupal vB's config. This should fix your problem.

As for aliases, yes, the only way to fix this for me is to install 'Me aliases.'

I also removed the login fields in navbar and several other templates so i could force users to log on from Drupal.

EDIT: It looks like this is a vB bug ( http://www.vbulletin.com/forum/project.php?issueid=34514 ). This might have been fixed already. Check the file anyway.

Comment #5

Platinum CreditAttribution: Platinum commented 10 March 2010 at 21:25

Awesome rsuplido, thanks for sharing, this almost solves my problem. It seems to only work one way for me though. Surfing on drupal will extend both timeouts, but surfing on the forums won't extend the drupal timeout. Do you have it working both ways?

Comment #6

rsuplido CreditAttribution: rsuplido commented 11 March 2010 at 14:49

As far as I know, the timeout doesn't get really extended. They get set when you log in. vB's cookies are set to expire after a year when you check 'Remember me.' On Drupal however, it is set to I think 3 months by default. The trick is, you don't let users log in from vB so the cookies expire at the same time for both Drupal and vB.

Comment #7

Platinum CreditAttribution: Platinum commented 11 March 2010 at 23:31

Yep I had drupal managing all the logins/logouts, but after a lot of testing apparently it was the automated logout playing tricks on me. With the cookie salt fix you suggested I probably don't need that module anymore. I needed it before to balance the timeouts. Things seem to be working fine now, thanks again!

Edit:
Forgot to mention that the patch above probably isn't required then since it doesn't really solve the underlying problem. Better to follow the steps in #4.

Comment #8

rsuplido CreditAttribution: rsuplido commented 12 March 2010 at 19:57

FYI, I downloaded the just released 3.8.5 and it still had the COOKIE_SALT bug in includes/functions.php.

EDIT: Just to letting everyone know that I submitted this as a bug to vBulletin and they replied that it isn't a bug. This means, the Drupal vB admin should be changed to ask for the COOKIE_SALT string in [vb folder]/includes/functions.php and not the license number.

More info here: http://www.vbulletin.com/forum/project.php?issueid=36858

Comment #9

sun

German

Karlsruhe

CreditAttribution: sun commented 9 January 2011 at 04:02

Title:	How to properly set user session and editing user data	» COOKIE_SALT is no longer the license number since vB 3.8.4
Component:	Miscellaneous	» Code
Priority:	Normal	» Major

Discussion around the first described issue should be moved into #866326: vBulletin loses session/cookie before Drupal does

Updating issue title for the second issue.

Comment #10

sun

German

Karlsruhe

CreditAttribution: sun commented 10 December 2011 at 16:46

Looks like we're about to fix this.

#1367112: Determine vB version by parsing config.php will allow us to automatically determine the vBulletin version in use.

#691736: Vbulletin 4 Support contains a patch that adjusts the settings form to account for the new cookie salt value. That part of the patch should probably be extract and tackled here.