Solutions for Synchronous login between JSP website and phpwind Forum

Solutions for Synchronous login between JSP website and phpwind Forum

 

In the previous article, the author introduced the installation process of Apache, PHP, MySQL and other software on windows, as well as the integration of Apache and resin. In this article, I will introduce how to implement synchronous login and exit between the JSP website and the phpwind forum. This article takes the source code of phpwind 7.5 SP3 as an example, but since I have inserted some test code in the source code, although it has been deleted, however, it is not guaranteed that the number of lines of the code shown in the following text is exactly the same as that of the source code. Please search for the lines above and below as prompted.

 

I. How is phpwind cookie generated?

 

Phpwind uses cookies to determine whether the current user has logged on. Therefore, it is necessary to implement the JSP website and phpwind synchronous login and synchronous exit functions, the reason is that the JSP website program can capture and analyze the cookies generated by phpwind. At the same time, the JSP website program should be able to generate the same cookie so that it can automatically log in when accessing the phpwind forum. Next, let's take a look at phpwind's cookie information generated by the Login User:

 

In the cookie information, 08383_winduser and its corresponding values are the basis for determining the phpwind login and exit status. The analysis of phpwind is also the focus of this article.

 

Let's take a look at how 08383 is generated in 08383_winduser. In line 84 of the login. php file, find:

Cookie ("winduser", strcode ($ winduid. "\ t". $ windpwd. "\ t". $ safecv), $ cktime );

The cookie function is used to write a cookie to the client. Its function is defined in the 145 rows of the common. php file:

Function cookie ($ ck_var, $ ck_value, $ ck_time = 'F', $ P = true ){}

We can see that the first parameter is the key name of the cookie, and the second parameter is the cookie value. In this way, the value passed to $ ck_var through a function call is winduser, but what we see in the cookie information is 08383_winduser. So where does this 08383 come from? Looking at the following code, we will find such a statement in Row 3:

$ Ck_var = cookiepre (). '_'. $ ck_var;

It seems that 08383 must be generated by the cookiepre function. Find the definition of the 189-row cookiepre function:

Function cookiepre (){

Static $ pre = NULL;

! Isset ($ pre)
& $ Pre = substr (MD5 ($ globals ['db _ sitehash );

Return $ pre;

}

 

Then we can see that 08383 is the first five characters of MD5 ($ globals ['db _ sitehash, $ globals ['db _ sitehash'] is the value corresponding to the data db_sitehash in the pw_config table, so that the key name generation process is clear. The following describes how to generate a key value.

 

The key value is actually strcode ($ winduid. "\ t ". $ windpwd. "\ t ". $ safecv), check common. the following figure shows the definition of the strcode function in the 241st rows Background: white; '> in the PHP file:

Function strcode ($ string, $ action = 'encoding '){}

We can know that the first parameter is the encrypted or decrypted string, and the second parameter is the encrypted or decode. The default parameter is encryption. In the code, $ globals ['pwserver'] ['HTTP _ user_agent '] indicates the User-Agent header information in the request, $ globals ['db _ hash']
It is the value corresponding to the data db_hash in the pw_config table. How does one generate the parameter $ winduid. "\ t". $ windpwd. "\ t". $ safecv passed to the Background: white; '> strcode function?

The following code is available in lines 66th and 70 of the login. php file:

$ Logininfo = checkpass ($ pwuser, $ md5_pwpwd, $ safecv, $ LGT );

List ($ winduid, $ groupid, $ windpwd, $ showmsginfo) = $ logininfo;

From this we can see that strcode; "> the real parameters of the function are generated by the checkpass function, and the checkpass function is defined in row 49th of the checkpass. php file:

Function checkpass ($ username, $ password, $ safecv, $ LGT = 0 ){}

We can know that the first parameter is the user name, the second parameter is the user password encrypted by MD5, and the third parameter is the user security issue that has been processed. The first and third values in the returned values correspond to $ winduid and $ windpwd in the real parameters of the strcode function, respectively. $ winduid is the uid in the pw_members table. The generation of $ windpwd is complicated. The following code can be seen in line 3:

$ Windpwd = pwdcode ($ password );

Therefore, we can see that $ windpwd is generated by the pwdcode function. Find the pwdcode function definition in row 227th of the common. php file:

Function pwdcode ($ PWD ){

Return MD5 ($ globals ['pwserver'] ['HTTP _ user_agent ']. $ PWD. $ globals ['db _ hash']);

}

In this way, we can understand that $ windpwd is actually a string of the User-Agent header information in the request, the user password encrypted with MD5, and the value of db_hash in the pw_config table, the string produced after one MD5 Encryption by the three concatenated strings is really complicated. It seems that phpwind is also painstaking for security!

Finally, strcode; "> $ safecv is left in the real parameter of the function. It is generated by the questcode function. The questcode function is defined in row 211st of the checkpass. php file:

Function questcode ($ question, $ customquest, $ answer ){

$ Question = '-1 '? $ Customquest: $ question;

Return $ question? Substr (MD5 (MD5 ($ question). MD5 ($ answer), 8, 10 ):
'';

}

The production process of $ safecv is complex enough. I believe that you can understand the production process through the above explanation, so I will not pay much for it, so I am too tired!

 

Ii. How does phpwind obtain information from cookies?

 

The phpwind code for retrieving user information from the cookie is in row 152nd of the global. php file:

List ($ winduid, $ windpwd, $ safecv) = explode ("\ t", addslashes (strcode (getcookie ('winduser'), 'decode ')));

The key is strcode (getcookie ('winduser'), 'decode'), which uses base64 to decode the value obtained from the cookie. The decoded string is separated into three segments by \ t. The first segment is uid, and the second segment is the string generated by the pwdcode function mentioned above, the third section is the field string generated by the questcode function mentioned above and saved to $ winduid, $ windpwd, and $ safecv respectively. Then you can use the UID to obtain user information and verify that the password is consistent with the security question.

 

Iii. How to synchronize login and exit with phpwind Forum

 

Synchronous login and synchronous exit are required. That is, when you log on to the JSP website and access phpwind, the user is logged on. After phpwind logs on, the JSP website is logged on and exits. In this way, you must use Java to implement two functions on the JSP website. One is to read and parse the winduser value generated by phpwind from the cookie, the other is that a user generates a cookie similar to phpwind during login, so that the phpwind forum can identify the user status. Because the implementation code is relatively simple, you only need to translate the functions mentioned above into Java code. Therefore, I will introduce the ideas and possible problems here.

 

For reading and parsing the winduser value generated by phpwind from the cookie, I write this part of code in a filter. In this filter, read the value in the cookie and call the strcode function for decoding to obtain the UID. Then, the user object is obtained through the UID query database to verify that the password and security issues are correct. If both are correct, the user object will be stored in the session. The next time you need to use this user object, you can directly obtain it from the session, instead of calling the strcode function to decode and query the database to obtain the user object.

 

Note that the phpwind forum may exit or change the user to log on again because the user object is passed in the session, however, the JSP website accessed in another browser window is still in the original user login status because the object in the session is not invalid. The solution is to set a static variable to save the winduser value in the cookie. Once the new value is found to be null or different from the original reserved value, it indicates that the phpwind forum has exited or logged in with a new user name.

 

For the JSP website, the user calls the strcode function during login to generate a cookie similar to the phpwind method, so that the phpwind forum can identify the user status. In addition, to make phpwind and JSP websites share a cookie, you need to modify the config. php file in phpwind and set $ db_ckdomain to ".xxx.com. The implementation of synchronous exit is relatively simple. You only need to leave the cookie value blank. I will not go into details here.

 

Okay. In this article, I mainly introduced how phpwind generates cookies, how phpwind obtains information from cookies, and briefly introduced how to implement synchronous login with phpwind forum. In the next article, I will introduce how to quickly and conveniently import data from Oracle to MySQL.