[not a bug] API action "validatelogin" - version 5.1.3

[sufi]

There is a bug in API action "validatelogin". It doesn't send the same hash as the main site generates for the $_SESSION['upw']. so it does not allow login, when using API validatelogin.

I am using v5.1.3 of WHMCS.

 

I tried with few users, and here is example of one user data:

 

When I call using following data:

 

$postfields["action"] = "validatelogin";

$postfields["email"] = "user@domain.com";

$postfields["password2"] = "abc123";

 

It returns hash: 5698383bd533cdcba631de375964df14b8c2cd36

 

But after login to whmcs using the same user, I have found the $_SESSION['upw'] is different! It returned:

 

$_SESSION['upw'] = 6cb888bc6b97ac4d9e490a5a24f6ac57888f9228

 

That's why it was not letting me do the auto login.

Could you please check the API function and provide a solution?

[Matt]

Login hashes by default include the IP address of the user. And in this case since you are connecting to the API from a PHP script, the IP will be the IP your server is connecting from.

 

The ValidateLogin API call is designed to allow you to verify login credentials only.

 

If your intention is to log the user in, then you should be looking at using AutoAuth instead: http://docs.whmcs.com/AutoAuth

 

Otherwise you would need to disable Session IP Validation setting in Setup > General Settings > Security to be able to use the returned hash directly from the API call.

 

Matt

[sufi]

Thanks for the clarification.

This data should have been also mentioned on documentation page of validatelogin. That will be more efficient way.

 

Anyway, thanks a lot.

[AssociatedVOIP]

I concur!

 

The documentation specifically states you can use the validatelogin API call to log the client in to whmcs.

 

The documentation needs to be updated!

Edited August 9, 2013 by WHMCS Chris