-
Notifications
You must be signed in to change notification settings - Fork 7
Cookies & Sessions
PHP uses $_COOKIE to store information client side, and $_SESSION to store information server side. Setting $_SESSION variables will automatically set a $_COOKIE['PHPSESSID'] variable. It is good practice to use sessions rather than cookies, that way data is controlled server side and also kept private.
The php.ini setting session.use_only_cookies=On controls whether the session ID is stored in a cookie. It is on by default. If this is turned off, it will be stored using GET and POST instead.
Use session_start() on every page to enable sessions.
BlueThrust uses the following session variables.
- btUsername
- btPassword
And...
- $checkNewsUpdates
- $sessionName
- $tableName
- appendIP
- btAccessCache
- btAccessCacheTables
- btAccessCacheTypes
- btAccessRules
- btAppComponent
- btComposeList
- btCountMindChanges
- btDeleteFormComponent
- btEventID
- btFacebookNonce
- btFBAccessToken
- btFormComponent
- btFormComponentCount
- btFormComponentTempSelectValues
- btInviteList
- btLastSearch
- btMemberAccess
- btMemberAccessCache
- btMembersOnlyTagger
- btOauth_Token
- btOauth_Token_Secret
- btPollOptionCache
- btProfileCache
- btProfileCacheRefresh
- btRankAccessCache
- btRememberMe
- btStatCache
- btYoutubeNonce
- csrfKey
- lastConsoleCategory
If you select "Remember Me" when logging in, the following cookies are also set.
- btUsername
- btPassword - hashed using
crypt(), salted, prefixed with$2a
This cookie is used by the installer.
- btSessionID
There are 2 password fields in the database.
- members.password - A blowcrypt password hash with salt, prefixed with
$2a - members.password2 - Just the salt
Passwords are encrypted using a custom algorithm: _functions.php encryptPassword(). It uses crypt() and the obsolete $2a prefix.
The salt field (password2) has an extra character for some reason. It probably gets truncated when it is plugged into the crypt() algorithm.
TODO: Upgrade this to password_hash() and $2y