[Help] - Login in with another system

[LexShadow]

I see the session DB so I can drop the information in to there, but what other things do I need to send or set to be able to use my own login system, I have a full profile and friends system I want to control the login to the chat.

is there session I have to set in the browser and also passhash is also set in the session database, why is this if you could help on this it would be really helpful, I wouldn't mind bypassing the login and user settings fully in the chage but I am able to to save the login details to the members section of the chat db also if I need to.

[DanWin]

If you want to handle logins from an external application, you would have to create a session (32 characters string) and add it to the session table, as well as set a cookie on the client with the session cookie name. Along with the session you'll need to set a nickname, a status (see top of the script for detailed number to textual status information), seconds between each message refresh, entry time stamp, optionally a customized style for this user and a custom background color. You can ignore the password hash, as it is only used in sessions for re-logging in. This could be useful if you switch to a different device, or closed your browser and want to resume the active session. With external authentication this is probably not necessary.

[LexShadow]

Thanks I will give this a look in to so your script isn't using sessions it's using cookies rather then sessions is there a reason for this or just something you rather users ?

[DanWin]

What exactly are sessions to you? A session to me is a unique piece of client data saved on the server. It is identified by an ID, which is generated by the server and given to a client, in order to identify that client in sub-sequent requests. There are different options on how you could carry the session id, as for example via a request header, parameter or simply as a cookie (which is also a request header). The chat script supports the parameter option, along with the cookie option. If a client chooses to disable cookies, it will automatically use the parameter method. However, this has the downside of potentially leaking session information to third parties when clicking on a link, where the browser does not respect the no-referrer rules set by the script. And sometimes people forget that they need to remove the session parameter before sending someone else the link to the chat, so the best option is by using a cookie. (Probably more than 99% of all websites using sessions are making use of cookies)

[LexShadow]

Cookies are very hackable as well and are no more safe from my research so far then the sessions based in php or other server back ends, so I am was simple asking why you was using cookies over the sessions when sessions was designed for the very thing you have been doing,

What is sessions to me, nothing but the means of the software I am using there is no magical meaning.

"the downside of potentially leaking session information to third parties when clicking on a link"

could you point me to information of this as this will help me and what path I take on my own login system.

[DanWin]

I think what you are talking about is the PHP sessions (https://www.php.net/manual/en/book.session.php) correct? By default these also do nothing other than saving a text file on the server, with the data you save in that session and send a cookie to the client. So they behave exactly the same as storing your own cookies and the data in a database. However, in terms of a chat system, you don't want to use PHP sessions, because you can only open the session which is your own. You can't see the other sessions, which effectively means you have no knowledge of other people currently in the chat. That's why you need to implement your own session table with the people that are currently online.

As for leaking potentially sensitive data, think about a link like this: https://example.com/my-credit-card-details?session_id=abcdef If I come from a non-technical background, or I didn't carefully check the link, I might copy-paste that link and send it to my friends, to show them what an awesome website I found. But when I forget to remove the session_id, they are automatically logged in as me and can see my sensitive data that I stored on that site, like my credit card details. Now, if I'm not falling for that, it may still be that I can leak this session ID to someone else, in case there is a messaging system, or the site owner has posted links to external websites. When I click on a link, the browser normally sends information to the new website, about which website I was on before. This is called a referrer and could potentially also contain the full url with the session ID. So in case the server owner of that other page I visit is an evil person, they can take the session ID from their server logs and steal my credit card data.

[LexShadow]

I don't include session login data via url so I am not sure if this would be the case here, my sessions are set via pop yes your right there, but I don't use post/get/request to get the session data I call it all in house via the php script the end user never sees the session via the url.

That brower is session picked by the login and the session is also hashed so when the session is doing anything important it will check the hash to make sure its valid, all sessions are updates after the important action is completed or logged out, also all sessions are time based so will be deleted form the db after 6 hrs of no successful action update.

This is all done php side tho nothing is included via the url at so there shouldn't be any session data in the referral but I will look in to referral leaks little later.

also my login system would only set up the needed parts it needs for the chat to work, right now I using a very basic chat system and still like yours over it, yours already has all the reg edit user rooms PM systems and offline message systems.

Thanks for your input so far though gives food for thought.

[DanWin]

Yes, then you are indeed using PHP sessions. This describes exactly how they work. But essentially it's not much difference compared to how they work in this chat script, just that you are using PHP functionality that does everything for you, rather than programming the session handlers yourself.