WHMCS Session Login Questions

[nielsenj]

I've been trying to find a way to instantiate a WHMCS session outside of the software so that a user is "logged in" when they goto any WHMCS page.

 

Basically a cross application session so when they are validated (using the WHMCS API) outside of WHMCS and we've confirmed they are a user they also get a WHMCS session logging them into both apps at the same time.

 

What i've narrowed it down to are the cookie vars:

 

• WHMCSUID - The client id
  
• WHMCSPW
  

 

What i can't seem to figure out is where WHMCSPW is generated the "PW" would indicate it's derived from the password BUT it's not the encrypted password stored in the DB and there doesn't seem to be an API command to get it.

 

WHMCSPW is the same for each user on each login. I haven't tested it, but i would assume if i changed the user's password this would also change meaning it is derived from the user's password.

 

Anyone have any ideas?

 

Thanks,

J

[nielsenj]

Nevermind i figured it out!

 

Somewhat senstitive so if someone is looking for the same information feel free to pm me.

 

Thanks,

J

[Summy]

Just starting on a similar project myself... without having looked into this myself yet... the normal way these things work is that "cookies" store username/password on the users computer when they tick the "keep me logged in" option.

 

The bit that does the session login/handling magic is actually the PHPSESSID. This will be passed to the server on every page load.. something like PHPSESSID=324jh23j4h234j23j4hjsds. On the server the session that matches up to that will have the client id etc...

[bobbravo2]

nielsenj - can you please send me a PM, I can't PM you, I'd like to know what you found out. Email works too: bob at bobscomputers dot com.

[bobbravo2]

So it seems that every time I use the API call "encryptpassword" it generates something resembling an MD5 hash, but everytime I refresh it, it's different.

 

The WHMCSPW cookie on the other hand, has the same value after numerous logins/logouts.

 

Nielsenj - any insight?

[nielsenj]

Yes, the WHMCSPW is the static MD5 hash of the users' password from the DB using an encryption key.

 

'Encryptpassword' uses MD5 to re-hash the string you've passed every time you call it, you get different results on every call using that API because it does not use this encryption key - instead, it uses the timestamp as the encryption base.

 

Essentially the way the password is stored in WHMCS is different than that API routine.

 

Without having access to the key (which is encoded) you can not directly re-create MD5 hash for comparison without using WHMCS functions which are also encoded.

 

The easiest way, albeit less secure, is to obtain the users' password using the API in plain text and compare it to the user entry.

 

Regards,

[bobbravo2]

I have successfully authenticated Joomla! using the WHMCS database, but the problem is Joomla! doesn't create the WHMCS:SESSID. I'm trying to use cookies as a workaround. When the user authenticates through Joomla!, it will check the WHMCS database, and then write 2 cookies:

WHMCSUID: userid

WHMCSPW:password

 

This way, when a user navigates to a WHMCS page, they already have the "Remember Me" cookie, and will not have to login again.

 

The problem as you have just outlined, is that WHMCS API doesn't use the same hash password (for some ?stupid? reason).

 

I have verified that if I use the "password" & "id" from "tblclients" and store them as a cookie, WHMCS (upon refresh) welcome's me back!

 

Being new to PHP & programming in general, I'd love some guidance as to the best practice for implementing what I'm talking about.

[nielsenj]

This mod is an example of how to authenticate and set the session variables in PHP with WHMCS and Kayako.

 

The main issue is PHP session variables will not authenticate across servers so both installations must be located on the same server.

 

In the code specific to my LoginShare i get around the md5 hash key issue by directly extracting the users md5 hash from the database and using it withint he PHP session.

 

It is the most efficient way of doing it aside from having access to the WHMCS password encryption key which i doubt you'll have.

 

Regards,

[bobbravo2]

I now have a working Auth plugin. It uses the WHMCS api to get the user's password & userid for authentication, and compares that to the login form. Once that is passed, it connects to the WHMCS database and query's for that UID's password in WHMCS format. It then stores the UID & PW to cookies. I have tested it with Joomla 1.5.9 and WHMCS 3.8.1 and once you login with the Joomla! auth, you are logged into WHMCS via cookie!

 

My plan is to disable the native WHMCS logins, any pointers for making that work smoothly?

[markholland8]

Hi, Any chance you could list the code/Plugin for others to try.

 

Thanks Mark

[equipc]

I now have a working Auth plugin. It uses the WHMCS api to get the user's password & userid for authentication, and compares that to the login form. Once that is passed, it connects to the WHMCS database and query's for that UID's password in WHMCS format. It then stores the UID & PW to cookies. I have tested it with Joomla 1.5.9 and WHMCS 3.8.1 and once you login with the Joomla! auth, you are logged into WHMCS via cookie!

 

My plan is to disable the native WHMCS logins, any pointers for making that work smoothly?

 

You can use apache mod_rewrite for this.

[kristara]

Nevermind i figured it out!

 

Somewhat senstitive so if someone is looking for the same information feel free to pm me.

 

Thanks,

J

 

I don't seem to have access to PM, however I would love to be able to have WHMCS login in from an external page. Any help would be greatly appreciated.

[ShaunR]

I'm trying to write a external authentication method. I get my clients email and password, now i need to encrypt them and compare to the password that WHMCS api is giving me. Problem is that it doesnt look like a md5(salt.pass):salt. In fact, it doesnt even look like a md5 hash... it has slashes and stuff in it.

 

Whats going on here, it seams nobody has a answer for this problem..

[okomba]

Hi.

 

I am interested in your solution. I am not able to PM you. Please contact me via email okomba [at] gmail.com.

 

Thanks.

 

 

Nevermind i figured it out!

 

Somewhat senstitive so if someone is looking for the same information feel free to pm me.

 

Thanks,

J

[ShaunR]

These might be useful to some of you guys...

 

http://www.ndchost.com/wiki/software/whmcs/client-password-hash

 

http://www.ndchost.com/wiki/software/whmcs/session-upw

 

Just some stuff i discovered when messin with WHMCS and decided it might as well go in the wiki for safe storage

[okomba]

Thanks Shaun for the tips.

 

The challenge I am having is determining whether a user is logged in from outside WHMCS. To do this I am using $_SESSION['uid']. However the value of $_SESSION['uid'] is empty whether or not I am logged in.

 

So I am not able to check if a user is logged in.

 

Thanks.

 

 

 

These might be useful to some of you guys...

 

http://www.ndchost.com/wiki/software/whmcs/client-password-hash

 

http://www.ndchost.com/wiki/software/whmcs/session-upw

 

Just some stuff i discovered when messin with WHMCS and decided it might as well go in the wiki for safe storage

[ShaunR]

well according to my wiki article i set $_SESSION['userid'] and not $_SESSION['uid'] so check there first.

 

another option could be to check for the upw session variable and if it exists to build your own and compare.

[okomba]

Thanks.

 

Actually reason for $_SESSION['uid'] being empty was that I was accessing WHMCS login via www. while the main website I was accessing without www. That made all thw difference!

 

BTW, correct query is:

$query = sprintf("SELECT * FROM `tblclients` WHERE id = %d", 1);

 

and not:

$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", 1);

 

Cheers.

 

Mugoma.

[Andrey.L]

$clientIp = $_SERVER['REMOTE_ADDR'];

$passwordHash = md5($clientId.$clientPassword.$clientIp);

 

setcookie('WHMCSUID',$clientId);

setcookie('WHMCSPW',$passwordHash);

$_SESSION['uid'] = $clientId;

$_SESSION['upw'] = $passwordHash;

[plantant]

Nevermind i figured it out!

 

Somewhat senstitive so if someone is looking for the same information feel free to pm me.

 

Thanks,

J

 

Also would like to know how you did it! Can you please send?

 

Thanks

[jtnire]

Sorry to bring up such an old thread, but this is what I'm doing and I'd appreciate some opinions on whether or not it's secure..

 

I'm actually letting the users authenticate into WHMCS as normal (well sorta, I've made my own login form using the form demo code from the WHMCS wiki). Then, in my own PHP code, I'm just checking to see if $_SESSION['uid'] is greater than zero. This seems to work well....

 

Of course, I have to run WHMCS and my own webapp on the same Apache instance

 

Do you guys think that this is secure?

 

Thanks

[ShaunR]

No, if you have another peice of software installed on your site that also uses sessions and stores a session var of uid then you are going to run into some big problems.

 

In my opinion you need to check the session var upw against whmcs. Meaning you need to take the session var uid and build the upw for that uid, then check the session upw value to see if it matches your built version.

[jtnire]

No, if you have another peice of software installed on your site that also uses sessions and stores a session var of uid then you are going to run into some big problems.

 

In my opinion you need to check the session var upw against whmcs. Meaning you need to take the session var uid and build the upw for that uid, then check the session upw value to see if it matches your built version.

 

But I don't have another piece of software that stores another session var of uid....

 

My software is simply checking for the current one

[ShaunR]

You would probably be fine, but what if one day you add another piece of software. Say a mailing app, blog app, etc. Like i said, my opinion you should be checking upw. People take security too light these days and that's what gets them into trouble.

[jtnire]

You would probably be fine, but what if one day you add another piece of software. Say a mailing app, blog app, etc. Like i said, my opinion you should be checking upw. People take security too light these days and that's what gets them into trouble.

 

Well firstly, that would never happen, as we take service segregation very seriously. Secondly, what my web app got to do with that? If another blogging tool running on the same server used uid, yes, that would mess up WHMCS. But again that has nothing to do with my webapp....

 

But blogging software on my WHMCS Apache instance?! Seriously......?!