4

I have built a SSO (Single Sign-On) system for use between our main site and the Invision Power Board software but I'm not sure how to go about logging the user out of IPB when they log out from the main site?

Additionally, what files would I need to load in the external file to be able to do this?

Brett
  • 19,449
  • 54
  • 157
  • 290

2 Answers2

2

Edit: to use IPB code for this, you have to include

require_once( IPS_ROOT_PATH . 'applications/core/modules_public/global/login.php' );

then to extend public_core_global_login and to call it's doLogout() method for this to work you have to set $this->member->setMember( $member_id ); I, personally, have never done it this way, so bellow is how you can do it manually:

IPB sets the data in session and stores several cookies for auto-login. You can perform without using any IPB sources; what you have to do is (note query and updatecookie are some pseudofunctions, for performing DB queries and setting cookie values respectively):

  query("DELETE FROM ".$ibf_prefix."sessions WHERE member_id = $userid");

  updatecookie($ibf_cookieid."member_id",0,time()-1800);
  updatecookie($ibf_cookieid."pass_hash",0,time()-1800);
  updatecookie($ibf_cookieid."session_id",0,time()-1800);

You can read $ibf_prefix from conf_global.php :

$ibf_prefix = $INFO[sql_tbl_prefix];

and $ibf_cookieid is:

$ibf_cache = query_first("SELECT cs_value FROM " . $ibf_prefix . "cache_store WHERE cs_key = 'settings'");
$ibf_cache = unserialize($ibf_cache['cs_value']);

$ibf_cookieid = $ibf_cache['cookie_id'];

You can read the source of doLogout method in admin/applications/core/modules_public/global/login.php

I'm not aware of any IPB API for this.

Maxim Krizhanovsky
  • 26,265
  • 5
  • 59
  • 89
  • Thanks a lot for that. I will have to give it a try. So will I need to include `conf_global.php` as well as `login.php`? And if I do it manually, do I still need to include `login.php`? Lastly, I thought I would need to load some kind of init file - I think the file for IPB is `initdata.php` ? – Brett Apr 09 '14 at 20:45
  • If you do it manually, you don't need anything else than the conf_global.php. If you do it by extending the login, I believe you have to include initdata.php, sources/base/ipsRegistry.php and sources/base/ipsController.php, but as I said I never done it before – Maxim Krizhanovsky Apr 10 '14 at 07:13
  • I just got around to trying this...... wondering what does `query_first` do and how does it return an array of data? – Brett Apr 20 '14 at 14:46
  • @Brett something like: $result = mysql_query($sql); if ($result) { return mysql_fetch_array($result); } – Maxim Krizhanovsky Apr 20 '14 at 18:19
0

You can try to destroy the session with session_destroy();

If the user has "Remember me" checked, you have to delete the cookie pass_hash too.

Companjo
  • 1,789
  • 18
  • 24
  • That solution seems a bit ad-hoc, would prefer to use the same method IPB does to log the user out itself. – Brett Apr 01 '14 at 11:40