Log in

FutureSight Forums

Index » Tech help » Another ConfirmAccount mod (Atom feed)

Pages: 1 2 Next

#1: 01 Dec 2015 04:10 - Edited

offline Krett12

Member

I have a website with both future-bb forums and a wiki, and I need the wiki account to be synced with the forum ones and I need a confirmaccount mod that makes sure it's the same username. I'm asking you because you know more about Future BB than I do.

#2: 02 Dec 2015 03:02

offline Jacob

Administrator
user avatar

FutureBB currently doesn't have any sort of API (once again, this would go against the simplistic design philosophy), so doing this would require accessing the database directly. In order to do this, you either need to create an extension that implements a basic authentication API or you need to access the database directly from MediaWiki.


Jacob G.
Executive director and co-head developer

#3: 03 Dec 2015 02:50

offline Krett12

Member

So if I made them use the same database then that would work?

#4: 03 Dec 2015 02:51

offline Krett12

Member

Well, couldn't there just be a "user verification post" and it just goes directly thru the html?

#5: 03 Dec 2015 04:54

offline Jacob

Administrator
user avatar

Krett12 wrote
So if I made them use the same database then that would work?

Krett12 wrote
Well, couldn't there just be a "user verification post" and it just goes directly thru the html?

You could do either of those things, but putting them on the same database would be more convenient to the user. Alternatively, you could try using PHP sessions to link the systems, as I did on a similar system.


Jacob G.
Executive director and co-head developer

#6: 03 Dec 2015 13:28

offline Krett12

Member

If they have the same session, they are who they say they are?

#7: 03 Dec 2015 13:31

offline Jacob

Administrator
user avatar

Krett12 wrote
If they have the same session, they are who they say they are?

The session information in PHP only stores what you put in it. FutureBB actually doesn't use PHP sessions at all, instead just using an authentication cookie (meaning that the session data won't tell you anything about the FutureBB login state). However, you could pretty easily retrofit it to store the current FutureBB user information in session data and then access that from MediaWiki.

You can read more on how PHP sessions work in the PHP documentation.


Jacob G.
Executive director and co-head developer

#8: 03 Dec 2015 13:32

offline Krett12

Member

But if the session ID is a text file, then can't an imposter just change it?

#9: 03 Dec 2015 13:34

offline Krett12

Member

Also, please move the forum to "TEch help" as it is basically all we are doing.

#10: 03 Dec 2015 13:34

offline Jacob

Administrator
user avatar

Krett12 wrote
But if the session ID is a text file, then can't an imposter just change it?

The session id is stored in a cookie, and you can indeed change it. However, you can counter this by periodically changing the session ids whenever the user logs in, thereby deleting any imposter sessions. You can also tie other data to the session (such as the user's browser type/version, IP address, etc.) and disregard any data stored in it if it doesn't match.


Jacob G.
Executive director and co-head developer

#11: 04 Dec 2015 12:41

offline Krett12

Member

But you could change it, not log in to the forums, then request an account?

#12: 04 Dec 2015 12:43

offline Krett12

Member

Well, the IP thing is a good idea. Both futurebb and MediaWiki can see your IP. In FutureBB 1.4, please make it so that IPs are in the cookie for me.

#13: 04 Dec 2015 12:44

offline Krett12

Member

Should I install the CheckUser extension for proper logging?

#14: 04 Dec 2015 13:22

offline Jacob

Administrator
user avatar

Krett12 wrote
But you could change it, not log in to the forums, then request an account?

I still don't think you quite understand how PHP sessions work. What is stored on your computer is just an id, and that id is associated with a session on the server. If you change your id to something besides what it is, chances are it will just point to a non-existent session, in which case the server will create a new one and populate it as necessary, but it will start off blank (i.e. without another user's data). It is possible to try to steal the session id of another user, but there are various measures to combat that as I explained earlier.

Krett12 wrote
Well, the IP thing is a good idea. Both futurebb and MediaWiki can see your IP. In FutureBB 1.4, please make it so that IPs are in the cookie for me.

The problem is that many people log in from multiple IP addresses (for example, I have a laptop that I use both at home and at school, and I don't want to have to log back in every time). In FutureBB, what's used instead is a login hash system, where there is a random hash on the server for each account, and that is stored in the user's cookie, encoded with the user's browser type (it's very specific, and therefore not a walk in the park to forge), and a user can sign out all other sessions by updating the login hash on the server (meaning all the other cookies will suddenly become invalid and lead to a non-logged-in user).

Krett12 wrote
Should I install the CheckUser extension for proper logging?

It's always a good idea.


Jacob G.
Executive director and co-head developer

#15: 04 Dec 2015 17:14 - Edited

offline Krett12

Member

Oh, browser type! So that's why when I switch browsers from Firefox to Opera (on my Mac, of course) I am not logged in.

So, I just need to have the extension do the same thing, and it will work?

Edit: 555th post!

#16: 04 Dec 2015 23:48

offline Jacob

Administrator
user avatar

Krett12 wrote
Oh, browser type! So that's why when I switch browsers from Firefox to Opera (on my Mac, of course) I am not logged in.

So, I just need to have the extension do the same thing, and it will work?

Edit: 555th post!

Well, that and the fact that the cookies most likely don't transfer over unless you configured it to do that yourself.

Yes, you could write an extension to do that. If you want to see an example of how to write an extension, you can see the ones we already have. We will include a guide on how to make extensions with the release of FutureBB 1.4 (which has finally entered testing).


Jacob G.
Executive director and co-head developer

#17: 05 Dec 2015 12:27

offline Krett12

Member

I didn't mean a futurebb extension I meant a MediaWiki one.

#18: 31 Dec 2015 11:46

offline iggyvolz

Member

All you really need to do on the MediaWiki side is hijack any queries for user information. I did this very simply for a project I'm doing. For example, to hook into logins, I do:
SELECT `email`, `id` FROM `futurebb_users` WHERE `username`=<username> AND `password`=<sha1 of password>
For a lookup by username, just do SELECT * FROM `futurebb_users` WHERE `username`=<username>.

Fairly simple to do DB lookups - I don't know how easy it is to hook into MediaWiki (haven't used it in forever).

#19: 31 Dec 2015 13:41

offline Jacob

Administrator
user avatar

iggyvolz wrote
All you really need to do on the MediaWiki side is hijack any queries for user information. I did this very simply for a project I'm doing. For example, to hook into logins, I do:
SELECT `email`, `id` FROM `futurebb_users` WHERE `username`=<username> AND `password`=<sha1 of password>
For a lookup by username, just do SELECT * FROM `futurebb_users` WHERE `username`=<username>.

Fairly simple to do DB lookups - I don't know how easy it is to hook into MediaWiki (haven't used it in forever).

The DB lookups in FutureBB aren't so bad, but MediaWiki as a whole is ridiculously complicated. I once did tie a Wiki into a FutureBB system, but that took me several days and had a lot of bugs, and I had to use session data to transfer information across softwares.


Jacob G.
Executive director and co-head developer

#20: 01 Jan 2016 02:29

offline Krett12

Member

Jacob wrote
I once did tie a Wiki into a FutureBB system,

And you're just telling me NOW?!?! That would've been good to know ages ago.

Index » Tech help » Another ConfirmAccount mod (Atom feed)

Pages: 1 2 Next

Embed topic (Show)