DMCGI and PHP

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

DMCGI and PHP

ID:235654

Feb 1 2012, 2:08 pm (Edited on Feb 1 2012, 4:24 pm)

Keywords: dmcgi, php

(See the best response by Nadrew.)

A.T.H.K

Having a bit of trouble with the below code.

<html>
<body>
<?php

// Login auth stuff
$exec_string="/home/auth/whoami.dmb | tail -1";
$authinfo=shell_exec($exec_string);
// remove newline character
$endchar = substr("$authinfo", strlen("$authinfo") - 1, 1);
if ($endchar == "\n") {$authinfo = substr("$authinfo", 0, -1);}


if($_GET['byondcert']){
    echo "$authinfo";
}else{
    header("Location: https://secure.byond.com/login.cgi?login=1;noscript=1;url=http%3A%2F%2Fbyondpanel.com%2Fauth%2Fauth.php");
}


?>
</body>
</html>

The above constantly returns guest no matter what..

whoami.dmb

CGI
    Topic(href,href_list[])
        if(!href)
            usr.Login()
            Login()
            usr << "[usr.key]"

Chucked in some Login(0's to check if that wasn't the problem ..

Can test here - http://byondpanel.com/auth/auth.php

And the DMB here - http://byondpanel.com/auth/whoami.dmb

The dmb obviously logs in and shows the the users key not guest..

Feb 1 2012, 3:23 pm

Nadrew

You don't need the usr.Login() part for one.

The problem you're having here is the fact that you're executing the dmb as a shell command, which is going to execute it as the server -- which can't login.

The method used for doing what you need is using cookies to store the key, and some kind of hash to validate it on PHP's end.

So you do the following:

* In DMCGI, log the user in and return them to the page with the argument to CGI.Login(). In the DMCGI you'd check if the key is guest or not, if it's not then it's already been validated.

* If you have a valid key, you use CGI.SetCookie() to set a couple of cookies, one being the plaintext key, the other being a custom md5() hash that contains some random madeup stuff and the key itself.

* In your PHP you check the cookies you set, if there's a key stored validate it against the stored hash. If things match up you'll have validated access to the person's key right inside of a handy easy-to-use cookie.

You don't want to be directly trying to validate things against the data BYOND sends back to your server, it's not very safe and can be a bit hard to manage correctly.

Feb 1 2012, 3:55 pm

A.T.H.K

Hmm seems that it isn't creating the cookies at all..

CGI
    Topic(href,href_list[])
        if(!href)
            if(usr.ckey == "guest") 
                usr << usr.key
                Login()
            else
                SetCookie("BYONDKey",usr.key,world.realtime + 10*60*60*24*2,"http://byondpanel.com","/auth/",0)
                var/key = "testobviouslyiwillchangethis[usr.key]"
                SetCookie("BYONDKeyMashed",md5(key),world.realtime + 10*60*60*24*2,"http://byondpanel.com","/auth/",0)
                usr << usr.key
                usr << "Cookie - " + usr.client.CGI.cookies["BYONDKey"]

Feb 1 2012, 4:15 pm
Nadrew	Use "." as the domain, or "byondpanel.com" -- http:// is a protocol, not part of the domain.

Feb 1 2012, 4:16 pm
A.T.H.K	I am such an idiot ... thanks Nadrew

Feb 1 2012, 5:19 pm
BrickSquadron	// remove newline character $endchar = substr("$authinfo", strlen("$authinfo") - 1, 1); if ($endchar == "\n") {$authinfo = substr("$authinfo", 0, -1);} Is there no chomp equivalent in PHP? If there is it would clean this up significantly.

Feb 1 2012, 5:25 pm
A.T.H.K	As Nadrew said its point less as the server is trying to login instead of the user. The SetCookies still won't work I have given up for now as I am at work..

Feb 1 2012, 6:04 pm
Nadrew	Try using ".byondpanel.com" as the domain and "/" as the path.

Feb 2 2012, 12:08 pm

A.T.H.K

CGI
    Topic(href,href_list[])
        if(usr.ckey == "guest")
            Login()
        else
            usr.client.CGI.SetCookie("BYONDKey",usr.key,world.realtime + 10*60*60*24*2,".byondpanel.com","/","false")
            usr << "1"
            var/key = "stuff[usr.key]"
            usr << "2"
            usr.client.CGI.SetCookie("BYONDKeyMashed",md5(key),world.realtime + 10*60*60*24*2,".byondpanel.com","/","false")
            usr << "KEY"
            usr << usr.key
            usr << "Cookie - " + usr.client.CGI.cookies["BYONDKey"]
            //Reroute("http://byondpanel.com/auth/auth.php")
        if(href == "logout")Logout()

Still not working. very odd.

[EDIT] got it to work! using 0 instead of false for the secure option on the cookie.

Feb 2 2012, 12:14 pm

Best response

Nadrew

Use 0 instead of "false" there. You should also try not to rely on CGI.cookies to check it, use a web-developer tool to view the cookies for the domain. I'm not entirely sure how reliable CGI.cookies is these days -- I've never used cookies in DMCGI outside of setting them for PHP to read.

This is what I used for byondmail.com's authentication system:

CGI
    Topic(href,href_list[])
        if(usr.ckey != "guest")
            SetCookie("byond_key",usr.key,world.realtime+360000,".byondmail.com","/",0)
            SetCookie("byond_hash",md5("hiddenhashgoodies[usr.key]hiddenhashgoodies"),world.realtime+360000,".byondmail.com","/",0)
            if(href)
                if(href_list["to"])
                    Reroute("http://byondmail.com/[href_list["to"]]")
                else
                    Reroute("index.php")
            else
                Reroute("index.php")
        else
            src.Login("http://www.byondmail.com/betamail/authenticate.dmb")

Feb 2 2012, 1:04 pm
A.T.H.K	Yep thanks Nadrew. now to make a simple API for other users for auth.