XF 2.1 Check if user is logged in from a remote server

[Michele]

I need from a separate server a way to check if user is logged in on the xenforo server.


I implemented a remote login integration with my CMS and Xenforo API. When user press a link his account get created and he do automatico login on xenforo.

The only one issue is that if user it do one time during the current session and after it come back to main site to return later on forum the script is not able to underatnd if is already logged in on forum or not.

What i need is a way from the CMS server ( remotly so ) to check xenforo server and get if user is logged in or not .

At moment the script is not able to know if user is logged in or not on xenforo server and every time so the user click that link he try to LOGIN him again with a consequent error on xenforo that inform the user he did already the login. It is not nice to see and make confusion. I want tso that my script before doing login he check if the current user is logged in on forum server.



I found some codes around but that codes are working if CMS and Xenforo are hosted on the same server on different folders. If i try to call this script from remote because i can do it only with a CURL it give me back always user is GUEST. That why it is not the solution

<?php

require('src/XF.php');
\XF::start('/hc');
$app = \XF::setupApp('XF\Pub\App');
$s = $app->session();
$uid = $s->get('userId');
if ($uid){
    $finder = \XF::finder('XF:User');
    $user = $finder->where('user_id', $uid)->fetchOne();
    print_r($user->username);
}else{
    echo 'guest';
}

?>

The issue with my solution is that Xenforo and my CMS are hosted on separate servers. What can i do to solve the issue here ?

Thanks

 

[Michele]

No one ? Really every time i posted something no reply...wow good help and support community !

 

[webbouk]

So you posted this complex question less than 24hours ago and because you haven't (as yet) received a reply you rather sarcastically have a go at the community.
Maybe a bit of patience and good manners would get you a better response.

 

[[F.A] Walky]

Hello,

If you’re using a remote server I guess you’d have to use XenForo API to get the data you want.

You’ll find all you want to achieve your request here : https://xenforo.com/community/pages/api-endpoints/

Regards,
Walky

 

[Michele]

Hello,

If you’re using a remote server I guess you’d have to use XenForo API to get the data you want.

You’ll find all you want to achieve your request here : https://xenforo.com/community/pages/api-endpoints/

Regards,
Walky

What is the name of variable i can retrive with GET command that tell me if the current user is logged in or not ? I see long list of field but no any explenation near. Maybe some of them can tell me this...but who better than Xenforo developer can tell me ?

I hope the moderator can point me out the variable or the way using API i can use to know if the current user is logged in or not.

From my side i have only the username so using username i need to check if it is logbvged in or no
t
Thanks

 

[[F.A] Walky]

Everything is explained, you have description next to endpoints + they explain which parameters are needed / optional.

I guess you’d have to do it in 2 times, first with users/find-name so you could get the User Id and then users/{id} to get the last activity of the searched user !

 

[Michele]

Everything is explained, you have description next to endpoints + they explain which parameters are needed / optional.

I guess you’d have to do it in 2 times, first with users/find-name so you could get the User Id and then users/{id} to get the last activity of the searched user !

Ok but who give me the insurance if last activity was few minutes ago the user did not do the logout on forum ? I mean ok it could be that because is bassed few time he didnt do the logout but could be he did...

 

[Michele]

up

 

[ivp]

I have a similar problem, but need to use SQL query to check if the user is logged in.

Is this doable?

 

[nocte]

I have a similar problem, but need to use SQL query to check if the user is logged in.

are you doing this inside a XF addon?

Then you could ask for: \XF::visitor()->is_online()

 

[ivp]

No, external service can do SQL only.

 

[nocte]

Try this:

SELECT xf_user.username, xf_session_activity.view_date FROM xf_user
LEFT JOIN xf_session_activity ON xf_user.user_id = xf_session_activity.user_id
WHERE xf_user.user_id = 1 AND xf_session_activity.view_date > 1234567890

you have to change user_id and the unix timestamp (usually 15 minutes ago) in the last line.

I you want to respect privacy (visibility status):

SELECT xf_user.username, xf_session_activity.view_date FROM xf_user
LEFT JOIN xf_session_activity ON xf_user.user_id = xf_session_activity.user_id
WHERE xf_user.user_id = 1 AND xf_user.visible = 1 AND xf_session_activity.view_date > 1234567890

If you don't get a result, then the user was not recently online or clicked on the "logout" link.

 

[ivp]

Great, checking is there an active session for the username is solved, many thanks @nocte

How to avoid asking password from the user again, since external service requires both username and password to login?

First should check for an active session, but then need additional checks to make sure if it is the same user. IP address is one of them. What else can be done?

 

[Mike]

You really can't determine if a particular request relates to a logged in user unless you have access to their XF cookies (which generally means you're accessing on the same domain, potentially across sub-domains if you've changed your cookie config). If that's the case, the 2.2 REST API has an endpoint that you can use: https://xenforo.com/community/pages/api-endpoints/#route_post_auth_from_session

 

[ivp]

The problem is that external service can use SQL query only. It is not web service.

We can pass username and password to it. We do have a username, but don't have a password.

Maybe instead of real password we can pass some custom value, to be used for SQL validation. Such value would be present in HTML source, so cannot use session id to avoid session hijacking.

How about creating some temporary password and store hash in custom table right before connecting to external service. Then external service checks the following:

1. If username is online in the last 60 seconds using "view_date" field in xf_session_activity table
2. If IP used for accessing external service is the same as "ip" field in xf_session_activity table
3. Compare temporary password hash with value stored in custom table

Potential hijacker must use the same IP, see the source of your HTML page on SSL connection and access the external service in 60 seconds.