Jump to content

WHMCS Session Login Questions

nielsenj

By nielsenj
in Developer Corner

 Share

Recommended Posts

ShaunR Senior Member

ShaunR

Posted
Posted

I'm not saying your taking security lightly, your on here asking if your OK so you obviously care.

 

The blog was a example but sure why not. Some people install whmcs right off there website, for example wwww.domain.com/whmcs/ or http://www.domain.com/billing/. Then they want a blog so they install wordpress at http://www.domain.com/wordpress/. It doesn't have to be a blog, it could be a helpdesk, or some other simple app. My point was that if you ever install any 3rdparty software under the same site and that software happens to also use sessions and the session var of uid that is where your going to run into trouble.

 

There are many reasons to use UPW. Another reason... what if a attacker, old staff member, old customer employee, etc logs into the WHMCS. Then you go and change that customers password. Well as long as they didn't close their browser they are still logged in! If you checked against upw it would realize that the password has changed and upw wouldn't match. This would force that person to a login screen.

 

Like i said, it's not that hard to check UPW and it adds security. Something like the following would do it pretty easily.

 

<?php

// DB connection
$dbh = mysql_connect('localhost','user','pass') or die('MySQL connection failed');
mysql_select_db('whmcs_dbname', $dbh) or die('Failed to select whmcs_dbname database');

// Start a session if one hasnt already been started
if(!session_id()) session_start();

// WHMCS Session details exist?
if(!isset($_SESSION['uid']) or !isset($_SESSION['upw'])) {
 header("Location: /whmcs/");
 die('Redirect Failed, Please Log into WHMCS');
}

// Get user info
$query = sprintf("SELECT * FROM `tblclients` WHERE userid = %d", $_SESSION['uid']);
$result = mysql_query($query, $dbh);
if($result === FALSE) die("Query Failed: " . mysql_error());
if(mysql_num_rows($result) != 1)  die('No client found with that id');
$user_row = mysql_fetch_assoc($result);

// Check UPW
if($_SESSION['upw'] != md5($user_row['id'] . $user_row['password'] . $_SERVER['REMOTE_ADDR'])) {
 header('Location: /whmcs/');
 die('Redirect Failed, Please log into WHMCS');
}

?>

0
Link to comment
Share on other sites
ShaunR Senior Member

ShaunR

Posted
Posted (edited)
Oh and also, the "Blogging" app would have to share the same session ID as WHMCS, which just wouldn't happen....

 

PHP does a really good job of making sure the browser doesn't loose a session. If you log into domain.com/blog/ and it starts a session and sets a session var of uid, and then you go up to the address bar and change the url to domain.com/whmcs/ then yes, it would be a problem. uid would be visible in both of those apps.

 

Remember, php has no idea they are separate apps. All it knows is that when session_start() is called that it tries to start back up a existing session if it can find one. It has no idea that /blog and /whmcs are two different apps with two different sets of data.

Edited by ShaunR
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept