Browser: Firefox 83.0 (64-bit)
SSO works fine in chrome using the PHP script found on this forum but on Firefox it adds an == before &sig, anyone know what might cause that?
session/sso_provider?sso=bm9uY2U9MmE4YmE2NmE0ZmRmYjRlM2JmNGJmMDkzNTliZjg3MWVlZDhkMTIzNTRiMzc4OGQyNTAwYzY3NjBiZjEwNWMyNmYzMTUxNmE4NTc0NDdjNzE0YmRkYTM4MTljMmFjOTA5NmY0MDkyNWQ5NWIwOTFkMDVmM2QzZDIyZDhmYTdiMzYmcmV0dXJuX3Nzb191cmw9aHR0cHMlM0ElMkYlMkZ2Y2VsaXF1aWRyZWNpcGVzLmNvbSUyRmNvbnRyb2xsZXJzJTJGbG9naW5Db250cm9sLnBocA==&sig=261ee2477e94edcbcc1513e248091860445ed2c2cc8f30835a1fd061ff0
simon
December 9, 2020, 4:50pm
2
Can you share a link to the PHP script that you’re using?
2 Likes
michaeld
December 9, 2020, 5:11pm
3
That is a part of the base64 encoded string. You should urlencode() it before sending it to the client. Are you doing that? Can you share your code?
3 Likes
The code is as follows, thanks in advance
I modified this Discourse sso provider login · GitHub https://vceliquidrecipes.com/
LOGIN FORM
<div class="row mt-1">
<div class="col-md-12 d-flex justify-content-center">
<p><a class="btn btn-success" href="'.$discourse_url.'/session/sso_provider?'.$query.'" role="button">Sign in</a> <a class="btn btn-success" href="https://vapingcommunity.co.uk/signup" role="button">Register</a></p>
</div>
</div>
$sso_secret = 'ITSASECRET';
$discourse_url = 'https://vapingcommunity.co.uk';
$nonce = hash('sha512', mt_rand());
$_SESSION['nonce'] = $nonce;
$payload = base64_encode( http_build_query( array (
'nonce' => $nonce,
'return_sso_url' => $me
)
) );
$request = array(
'sso' => $payload,
'sig' => hash_hmac('sha256', $payload, $sso_secret )
);
$query = http_build_query($request);
if(!empty($_GET) and isset($_GET['sso'])){
$sso_secret = 'ITSASECRET';
if(isset($_SESSION['loggedin']) && isset($_SESSION['username']) && $_SESSION['loggedin'] == true){
header("location: /");
die();
}
$sso = $_GET['sso'];
$sig = $_GET['sig'];
if(hash_hmac('sha256', urldecode($sso), $sso_secret) !== $sig){
header("HTTP/1.1 404 Not Found");
die();
}
In my controller
$sso = urldecode($sso);
$query = array();
parse_str(base64_decode($sso), $query);
$username = $query['username'];
$useremail = $query['email'];
if(!empty($query['avatar_url'])) {
$avatar_url = $query['avatar_url'];
}
else {
$avatar_url = $miscf->fullURL().'/images/defaultAvatar.png';
}
$userisadmin = $query['admin'];
$userismoderator = $query['moderator'];
$usergroup = $query['groups'];
$externalid = $query['external_id'];
if ($userf->checkUserEIDExists($externalid) == false) {
$userf->addUser($username,$useremail,$avatar_url,$userisadmin,$userismoderator,$usergroup,$externalid);
}
$nonce = $_SESSION['nonce'];
if($query['nonce'] != $nonce){
header("HTTP/1.1 404 Not Found");
die();
}
$userf->loginUser($query['username'],$query['external_id'],$avatar_url,$query['groups']);
Login function:
*SETS COOKIE DOES OTHER MISC STUFF LIKE USER CHECKS*
*FINISHES WITH THIS*
if(isset($_SESSION['url']))
$url = $_SESSION['url'];
else
$url = "";
$miscf = new miscf();
$fullurl = $miscf->fullURL().$url;
header("Location:".$fullurl);
unset($_SESSION['url']);
die();
1 Like
michaeld
December 9, 2020, 7:35pm
5
Ok, that all looks good. And how is this causing a problem? Since I think it should work nevertheless…
1 Like
Well, I’m glad you asked, it seems to login ok but then when back on the site, it doesn’t show the user menu, it just shows the login button again under the User nav link.
I’m starting to wonder if it is cookie related but it works fine in Chrome, it’s almost as if the “logged in” check is being ignore on initial page load, a refresh reveals all the user navigation items for a logged in user, I want to stress that it only happens in Firefox
michaeld
December 9, 2020, 7:42pm
7
Hmm that is very odd indeed.
However, I think this has nothing to do with the fact that the == is not shown URL encoded. So you might be on the wrong path here.
2 Likes
I’ll keep trying until I fix it and report back when I do, thanks for your help
1 Like
