English 中文(简体)
Noob way to login the user in Prestashop
原标题:

This is a walkthrough on how to make a user login on prestashop without passing through the login screen. This is helpful if you do not want the user to login again like when you want to transfer his session from one website to prestashop.

Step 1 Eliminate the need for password salting. Under config/settings.inc.php, set _COOKIE_KEY_ to blank. Note this also means that you must create a new customer. Or you can delete the old md5 password from DB and add your own.

Step 2 In the authentication.php file paste the following lines after line 6: 

                    $customer = new Customer();
                    //$authentication = $customer->getByEmail(trim($email), trim($passwd));
                    $authentication = $customer->getByMd5(trim($email), trim($passwd)); //modified version of getByEmail if we are not accepting  $passwd in cleartext but in md5.
                    /* Handle brute force attacks */
                    sleep(1);
                    if (!$authentication OR !$customer->id)
                        $errors[] = Tools::displayError( authentication failed );
                    else
                    {
                        $cookie->id_customer = intval($customer->id);
                        $cookie->customer_lastname = $customer->lastname;
                        $cookie->customer_firstname = $customer->firstname;
                        $cookie->logged = 1;
                        $cookie->passwd = $customer->passwd;
                        $cookie->email = $customer->email;
                        if (Configuration::get( PS_CART_FOLLOWING ) AND (empty($cookie->id_cart) OR Cart::getNbProducts($cookie->id_cart) == 0))
                            $cookie->id_cart = intval(Cart::lastNoneOrderedCart(intval($customer->id)));
                        Module::hookExec( authentication );
                        if ($back = Tools::getValue( back ))
                            Tools::redirect($back);
                        //Tools::redirect( my-account.php ); //cut redirection to break infinite loop
                    }

The above code is what makes the user login using $email as username and $passwd as password in plaintext. The original code comes from the if (Tools::isSubmit( SubmitLogin )) function inside the authentication.php file.

Step 3 Paste the above code in the products.php file just under line 5

Step 4 In case you are sending $passwd directly in md5 format, here is the modified version of getByEmail()(customer.php): 

public function getByMd5($email, $passwd = NULL)
    {    
        $result = Db::getInstance()->GetRow( SELECT * FROM ` ._DB_PREFIX_   . customer` WHERE `active` = 1 AND `email` =   .pSQL($email).     .(isset($passwd) ?  AND `passwd` =   .pSQL(_COOKIE_KEY_.$passwd).    :   ).  AND `deleted` = 0 );

        if (!$result)
            return false;
        $this->id = $result[ id_customer ];
        foreach ($result AS $key => $value)
            if (key_exists($key, $this))
                $this->{$key} = $value;

        return $this;       
    }

You can get access to the username/passwd either through the $_COOKIE[] function or through $_GET[]. Either way its a big security risk. Cookie reading can be placed in the index.php file.

问题回答

This approach you have proposed is extremely insecure. A salt is required for password safety and should never be removed. Further more by authenticating a user with their MD5 hash you effectively voiding all protection that hashing passwords provides you. People hash passwords because attacks like SQL injection allow an attacker to obtain this hash which then needs to be cracked. In this scenario the attacker can grab the admin s hash and just login right away.

The correct way to do session sharing:

Create a simple table to store session state. In this case the Cryptgoraphic Nonce is a large random value used to reference the data.

insert into session_state (sess,token) value ( .pSQL(serialize($_SESSION)). , .$cryptographic_nonce. )

When the browser is redirected to another shop give them a redirect like this:

header( location: https://some_other_shop/landing.php?token=$cryptographic_nonce );

When the new server gets this landing request it fetches the session state from the previous server:

$sess=http_get($_SERVER[ HTTP_REFERER ]."?token=$_GET[token]"); $_SESSION=unserialize($sess);

Note you might have to transfer the user s data in the database as well.

时间:2010-11-02 08:12:17


上一篇:
下一篇:


相关问题
Signed executables under Linux

For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...

时间:2009-11-14 01:34:19 回答:10 展示:1
MALICIOUS_CODE EI_EXPOSE_REP Medium

I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...

时间:2009-11-14 00:40:10 回答:5 展示:1
XSS on jsbin.com

Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...

时间:2009-11-14 00:18:21 回答:1 展示:1
Make md5 strong

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...

时间:2009-11-13 18:59:37 回答:5 展示:1
Why running a service as Local System is bad on windows?

I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...

时间:2009-11-13 16:51:19 回答:5 展示:1
Brute-force/DoS prevention in PHP [closed]

I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...

时间:2009-11-13 05:37:34 回答:5 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全