External Log In - Log a Customer in from another system

[designerman]

/includes/modules/pages/login/header_php.php
similar for logout

I've done a var_dump on the $_SESSION super global and it has opened some more questions,

Contents of the dump

array(18) {
["customers_host_address"]=> string(29) "XXXXXXXXX.XXX.XX"
["cartID"]=> string(0) ""
["cart"]=> &object(shoppingcart)(8)
{
["observers"]=> array(0) { }
["contents"]=> array(0) { }
["total"]=> int(0) ["weight"]=> int(0)
["content_type"]=> bool(false) ["free_shipping_item"]=> int(0) ["free_shipping_weight"]=> int(0)
["free_shipping_price"]=> int(0) }
["navigation"]=> &object(navigationhistory)(3) {
["observers"]=> array(0) { }
["path"]=> array(1) { [0]=> array(4) {
["page"]=> string(5) "login"
["mode"]=> string(6) "NONSSL"
["get"]=> array(1) { ["action"]=> string(7) "process" }
["post"]=> array(0) { }
}
}
["snapshot"]=> array(0) { }
}
["check_valid"]=> string(4) "true"
["language"]=> string(7) "english"
["languages_id"]=> string(1) "1"
["languages_code"]=> string(2) "en"
["currency"]=> string(3) "GBP"
["updateExpirations"]=> bool(true)
["session_counter"]=> bool(true)
["customers_ip_address"]=> string(14) "XXX.XXX.XXX.XX"
["customer_id"]=> string(1) "3"
["customer_default_address_id"]=> string(1) "3" ["customers_authorization"]=> string(1) "0"
["customer_first_name"]=> string(3) "Tom"
["customer_country_id"]=> string(3) "222"
["customer_zone_id"]=> string(3) "190"
}

Question being do I need to set all these session values or just the ones starting customers_ in order for a login to be "correct" in terms of the application being ok with it?

Thanks very much for any help

[DrByte]

Question being do I need to set all these session values or just the ones starting customers_ in order for a login to be "correct" in terms of the application being ok with it?

Just refer to the code in the login header_php.php file for the specifics of what gets set during a successful login.

[designerman]

I set the session data and update the customer_info table with the same query but when I visit the shop it does not appear as logged in, what am I missing?

[designerman]

I cannot get this to work, I beleive the error maybe the fact that I cannot use the notifier class with my script because of illegal access - what I have done is changed the template file which deals with user registration and redirected to my websites registration form and duplicated the zen cart process there during a sign up.

Really anoying but you cant have everything you want and must adapt. Someone from the development team should really look into this as it is a much wanted feature.

[Andy310]

i'm just doing the same thing

// if the customer is logged in already, redirect them to the My account page
if (isset($_SESSION['customer_id']) and $_SESSION['customer_id'] != '') {
zen_redirect(zen_href_link(FILENAME_ACCOUNT, '', 'SSL'));
}

so if the custumer is logged in then it would redirect if that is set.... and as a matter of fact it works...

[Andy310]

Here is a lil more detail on how to get it right.

first let me explain what happens here...

1) we 'denaturalize' the zen cart session code, for many resons... many functions are not needed if you want your custumer to be logged in.

2) we create a somewhat less stable log in procedure... in fact it needs to base off of the session alone, which means that Yes, it can be hacked.

so here is what i modify to make it so that the session is successfully passed from one place to another

ncludes\init_includes\init_sessions.php

looks like this:

Code:

<?php
/**
 * session handling
 * see {@link  http://www.zen-cart.com/wiki/index.php/Developers_API_Tutorials#InitSystem wikitutorials} for more details.
 *
 * @package initSystem
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: init_sessions.php 5164 2006-12-10 19:01:25Z drbyte $
 */
if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}
/**
 * require the session handling functions
 */
require(DIR_WS_FUNCTIONS . 'sessions.php');
session_start();
?>

which basically removes all sorts of zencart log in checks and all the other stuff that was there, which just does not fit my needs at least...

\includes\functions\sessions.php

looks like this:

Code:

<?php
/**
 * functions/sessions.php
 * Session functions
 *
 * @package functions
 * @copyright Copyright 2003-2007 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: sessions.php 6662 2007-08-12 21:37:17Z wilt $
 */
if (!defined('IS_ADMIN_FLAG')) {
  die('Illegal Access');
}


  function zen_session_start() {
    @ini_set('session.gc_probability', 1);
    @ini_set('session.gc_divisor', 2);
    if (defined('DIR_WS_ADMIN')) {
      @ini_set('session.gc_maxlifetime', (SESSION_TIMEOUT_ADMIN < 900 ? (SESSION_TIMEOUT_ADMIN + 900) : SESSION_TIMEOUT_ADMIN));
    }
    $temp = session_start();
    if (!isset($_SESSION['securityToken'])) {
      $_SESSION['securityToken'] = md5(uniqid(rand(), true));
    }
  	if (ereg_replace('[a-zA-Z0-9]', '', session_id()) != '') session_regenerate_id();
    return $temp;
  }

  function zen_session_register($variable) {
    die('This function has been deprecated. Please use Register Globals Off compatible code');
  }

  function zen_session_is_registered($variable) {
    die('This function has been deprecated. Please use Register Globals Off compatible code');
  }

  function zen_session_unregister($variable) {
    die('This function has been deprecated. Please use Register Globals Off compatible code');
  }

  function zen_session_id($sessid = '') {
    if (!empty($sessid)) {
      return session_id($sessid);
    } else {
      return session_id();
    }
  }

  function zen_session_name($name = '') {
    if (!empty($name)) {
      return session_name($name);
    } else {
      return session_name();
    }
  }

  function zen_session_close() {
    if (function_exists('session_close')) {
      return session_close();
    }
  }

  function zen_session_destroy() {
    return session_destroy();
  }

  function zen_session_save_path($path = '') {
    if (!empty($path)) {
      return session_save_path($path);
    } else {
      return session_save_path();
    }
  }

  function zen_session_recreate() {
    global $http_domain, $https_domain, $current_domain;
      if ($http_domain == $https_domain) {
      $saveSession = $_SESSION;
      $oldSessID = session_id();
      session_regenerate_id();
      $newSessID = session_id();
      session_id($oldSessID);
      session_id($newSessID);
      if (STORE_SESSIONS == 'db') {
        session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
      }
      session_start();
      $_SESSION = $saveSession;
      if (IS_ADMIN_FLAG !== true) {
        whos_online_session_recreate($oldSessID, $newSessID);
      }
    } else {
    /*
      $saveSession = $_SESSION;
      $oldSessID = session_id();
      session_regenerate_id();
      $newSessID = session_id();
      session_id($oldSessID);
      session_destroy();
      session_id($newSessID);
      session_set_cookie_params(0, '/', (zen_not_null($http_domain) ? $http_domain : ''));
      session_id($newSessID);
      if (STORE_SESSIONS == 'db') {
        session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
      }
      session_start();
      session_set_cookie_params(0, '/', (zen_not_null($current_domain) ? $current_domain : ''));
      session_start();
      $_SESSION = $saveSession;
      */
    }
  }
?>

all i removed here was getting the session back from the DB, this is because i do not want to store the session in the DB, and it was still checking there even thoug session storage was disabled by the install...

now the coding part that you need to log in :

Code:

// BOF Zen Login
					$location = mysql_fetch_array(mysql_query("SELECT entry_country_id, entry_zone_id FROM zen_address_book WHERE customers_id ='".$UserID."'", $con));
					$custumer = mysql_fetch_array(mysql_query("SELECT customers_default_address_id, customers_authorization, customers_firstname, customers_lastname FROM zen_customers WHERE customers_id='".$UserID."'", $con));
					$_SESSION['customer_id'] = $UserID;
			        $_SESSION['customer_default_address_id'] = $custumer['customers_default_address_id'];
			        $_SESSION['customers_authorization'] = $custumer['customers_authorization'];
			        $_SESSION['customer_first_name'] = $custumer['customers_firstname'];
			        $_SESSION['customer_last_name'] = $custumer['customers_lastname'];
			        $_SESSION['customer_country_id'] = $location['entry_country_id'];
			        $_SESSION['customer_zone_id'] = $location['entry_zone_id'];
			        $_SESSION['SESSION_IP_ADDRESS'] = zen_get_ip_address();
			        $_SESSION['SESSION_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
			        $_SESSION['securityToken'] = md5(uniqid(rand(), true));
			        $sql = "UPDATE zen_customers_info SET customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 WHERE customers_info_id ='". $UserID. "'";
					if (ereg_replace('[a-zA-Z0-9]', '', session_id()) != '') session_regenerate_id();
					mysql_query($sql, $con);
				// EOF Zen Login

Remember, that which ever authentication mesures you are using on your site, should be included right after session_start on \includes\init_includes\init_sessions.php
they are necessary to prevent basic hacking, and now they can just be whatver you use on your site, just copy paste and you should be OK... (evne though zen security is preatty good... )

NOTE that... this removes ZENID and leaves the session named automatically with the session ID.

you also need to modify the LOG OUT procedures (header) to log the user out of the whole system (yours) and maybe destroy the session, which stops log in.

IMPORTANT THING to Think about...
this does NOT check the ip address, simply the session id.
it's a good idea to modify this code to use the zencart's original way of checking your IP address you need some kind of insureance that you are not being hacked,
zencart uses all known methods, but you should at least use IP address, and Session ID to keep track of who is really logged in. ;)


MODERATOR NOTE: There are many security risks, some mentioned, some not, introduced by making the changes mentioned here. USE AT OWN RISK.

[Andy310]

I wanted to add a lil note, but i see that there is no edit button ???

anyways, this goes under the last Code Box...
this assumes the following:
you are using a zen_ table heading if you are not then you need to remove all occurrences of zen_ or replace them with your own table heading.
also $UserID should be gained by the authentication process which you should paste this into in order for things to work.

however you have things set up, you have to make sure that your custumer id comes from the zencart, in other words:

Code:

$mysql ="SELECT customers_id, customers_password FROM zen_customers WHERE customers_email_address='".$_POST['email-address-provided-by-custumer-as-login']."' LIMIT 1";
$result = mysql_query($mysql [, $connection_link]) or die ("most likey the user does not exist in this case..." . mysql_error());
$row = mysql_fetch_array($result);

$UserID = $row['customers_id'];
$pass = $row['customers_password'];

// now compare passwords and autheninticate the user and you can also perform the log in...

MODERATOR NOTE: The code suggested here is vulnerable to SQL Injection attack, since the input to the database query is not sanitized. USE AT OWN RISK