<html>
<body>
<?php
// Login auth stuff
$exec_string="/home/auth/whoami.dmb | tail -1";
$authinfo=shell_exec($exec_string);
// remove newline character
$endchar = substr("$authinfo", strlen("$authinfo") - 1, 1);
if ($endchar == "\n") {$authinfo = substr("$authinfo", 0, -1);}
if($_GET['byondcert']){
echo "$authinfo";
}else{
header("Location: https://secure.byond.com/login.cgi?login=1;noscript=1;url=http%3A%2F%2Fbyondpanel.com%2Fauth%2Fauth.php");
}
?>
</body>
</html>
The above constantly returns guest no matter what..
whoami.dmb
CGI
Topic(href,href_list[])
if(!href)
usr.Login()
Login()
usr << "[usr.key]"
Chucked in some Login(0's to check if that wasn't the problem ..
Can test here - http://byondpanel.com/auth/auth.php
And the DMB here - http://byondpanel.com/auth/whoami.dmb
The dmb obviously logs in and shows the the users key not guest..
The problem you're having here is the fact that you're executing the dmb as a shell command, which is going to execute it as the server -- which can't login.
The method used for doing what you need is using cookies to store the key, and some kind of hash to validate it on PHP's end.
So you do the following:
* In DMCGI, log the user in and return them to the page with the argument to CGI.Login(). In the DMCGI you'd check if the key is guest or not, if it's not then it's already been validated.
* If you have a valid key, you use CGI.SetCookie() to set a couple of cookies, one being the plaintext key, the other being a custom md5() hash that contains some random madeup stuff and the key itself.
* In your PHP you check the cookies you set, if there's a key stored validate it against the stored hash. If things match up you'll have validated access to the person's key right inside of a handy easy-to-use cookie.
You don't want to be directly trying to validate things against the data BYOND sends back to your server, it's not very safe and can be a bit hard to manage correctly.