Comments on: Integrating the Vanilla forum into a PHP application

By: Jason Judge

Jason Judge — Sun, 23 Nov 2008 17:40:03 +0000

About the verification key - it seems to be a potental security vulnerability. To log into a forum as a specific user, all you need to know is the verification key and user ID. There are ways of getting hold of the user ID (from postings) and if you create a verification key that is determinate (i.e. can be calculated knowing various things about the account you are logging into) then an attacker could create the pair of cookies and waltz right in.

Check out the function DefineVerificationKey() in Vanilla. It goes to great lengths to ensure the key is random. IMO it should be reset and randomised each time the user logs out.

By: differant-jason

differant-jason — Wed, 29 Oct 2008 14:59:48 +0000

thanks dude.. exactly what I was looking for. KUDOS!!

By: Deepak

Deepak — Thu, 28 Aug 2008 16:08:21 +0000

Thanks, Saved lots of time.

By: Jason

Jason — Mon, 25 Aug 2008 20:34:52 +0000

It’s me again, I was able to figure it out. I did what Jan said about and it works like a charm. I can now login and out using whatever method I want. Thanks again for all your efforts, and thank you Jan!

Jason

By: Jason

Jason — Mon, 25 Aug 2008 19:45:11 +0000

It seems Vanilla has changed a bit since this post was written. I was able to use your guide and mod it a bit and can now login to Vanilla through an alternative login form but it won’t logout. It seems Vanilla uses php sessions to store user login information, and it seems Vanilla uses a different session altogether than the application I am trying to integrate it with.

Any pointers or perhaps an updated tutorial? This is the ONLY post I can find about integrating Vanilla into a custom application and I have looked for hours upon hours at other examples and am just lost.

Thanks buddy!

By: Jan

Jan — Tue, 06 May 2008 18:09:33 +0000

Hi Prashant,

many thanks for your great tutorial. It really helped me a lot with our application integration.

Only that I almost killed myself trying to logoff from Vanilla from my applications logout routine. I was able to authenticate but never to deauthenticate. Untill I learned that you have to synchronize the application session and the vanilla session. Which means you have to add the line
$Configuration[’SESSION_NAME’] = ‘my_session’;
in the file conf/settings.php when you are using a not standard session name like ‘my_session’. This line tells Vanilla to use the different session name for its authentication.

Furthermore you have to destroy the session when logging out. Just add the line
session_destroy();
to your applications logout routine and everything seems to be working smoothly afterwards.

By: Prashant

Prashant — Tue, 11 Sep 2007 16:10:47 +0000

Hi Joe,

I haven’t tried using SocialEngine myself but if you know how the app works then integrating it with Vanilla shouldn’t be too difficult. If you have specific questions regarding the Vanilla integration points, I’ll be more than happy to clarify where I can.

Also, if you’re interested in building a social network, you may want to take a look at Ning (http://www.ning.com/). May be the easier path to take

By: Joe

Joe — Tue, 11 Sep 2007 04:14:46 +0000

Hi there,

Thanks for a great tutorial. I’ve been looking for an integration tutorial or mod for vanilla and socialengine, found at socialengine.net- I’ve looked everywhere to no avail. Your tutorial is the only one not predefined with a certain program such as (Word Press). Do you think your tutorial can help me pull what I’m trying to accomplish? Please help. I’m willing to pay for an integrations.

Thanks,

Joe

By: Prashant Nadarajan

Prashant Nadarajan — Tue, 15 May 2007 02:10:18 +0000

Hi Chi,

You need to pull LUM_User.UserID and LUM_User.VerificationKey. It’s mentioned in item 4.

By: Chi

Chi — Mon, 14 May 2007 22:53:19 +0000

Hey man just checkin..u said to set the cookie..but you didnt say wat variables to pull from the database…a quick example will be sufficient…