Jump to content

verify session with WHMC cookie and API?


Recommended Posts

Hello all,

I will have users logged directly into WHMCS.

Does anyone know how i can verify a users session via the cookie and API? I will be doing it via a nodejs app.

I have another application, and it has access to the WHMCS cookie as on same domain, and it can use the API.

So i would like it to get the cookie and then check via the WHMCS API if the user is logged in and who the user is.

I can also access the database if needed.

The CreateSsoToken method does not really work for me, as they will be logged into WHMCS via the order form or other. And i cant control how they will access this other application ( they may click a link or access it directly or other )

Edited by PixelPaul
Link to comment
Share on other sites

I don't think WHMCS has an API endpoint for this. The way I would do it is to create a PHP script on the WHMCS server that returns the client's data when called. For example, you can use the PHP session (DOLLAR-SIGN_SESSION) to determine if the client is logged in and which client it is. You then return this information as (e.g.) JSON.

Like that:

  • Create a simple PHP script, e.g. under: http://domain.com/whmcs/getClient.php
  • When someone opens your website, the visitor makes an AJAX call to getClient.php.
  • Then the output of getClient.php is processed client-side and your javascript should adjust the output of your website accordingly.

If you don't want to just display data, but do things with the account, you'll obviously need to do the check server-side, for security reasons. You would query the session ID of the client and then read the session from the server. For this you either read the content from the session file (use phpinfo() to find out where your sessions are) or from the database. Depending on how WHMCS is configured: https://docs.whmcs.com/Sessions

Whereby a client-side processing would be possible by creating your own API in WHMCS (like getClient.php), in which you make sure that the user is logged in.

PS: The WHMCS server blocks my post if i write DOLLAR-SIGN_SESSION - this is why i have wrote DOLLAR-SIGN_SESSION. Surely you know that you need to replace "DOLLAR-SIGN" with the actual char.

Edited by string
Link to comment
Share on other sites

this is close to what i was thinking of doing.

the only problem is, the session data seems to be encrypted in the database. So i can get the session for the logged in person, but i cant get their userID from the session data without decrypting the payload somehow.

Edited by PixelPaul
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated