vBulletin = aMember Integration (Session Cookie Issue)

Discussion in 'Customization & add-ons' started by karyng01, Aug 1, 2020 at 9:16 AM.

  1. karyng01

    karyng01 aMember Pro Customer

    Joined:
    Jul 30, 2008
    Messages:
    66
    Hi Everyone,

    SETUP
    • aMember v6.2.6
    • vBulletin v5.6.2
    • vBulletin plugin logs you in/out of vBulletin as you login/logout of aMember
    • Integrated menu allows navigation between aMember & vBulletin
    COOKIES

    bbsessionhash - vBulletin login cookie
    PHPSESSID - aMember login cookie
    PHPSESSID - vBulletin (Facebook code) cookie

    PROBLEM
    • Login to aMember (plugin auto logs you into vBulletin via a vBulletin bbessionhash cookie)
    • You can successfully navigate (move) from aMember to vBulletin the first time
    • vBulletin (Facebook code) overwrites the aMember set PHPSESSID cookie value
    • When you navigate (move) back to aMember, you enter an endless 302 redirect chain
    • aMember is no longer logged in, since vBulletin (Facebook code) overwrote the aMember set PHPSESSID cookie value, invalidating aMember's login session

    SOLUTION

    There are several approaches to fix this issue.
    1. Set a unique PHPSESSID cookie name for just vBulletin via PHP.INI or USER.INI (shared hosting)
    2. Set a unique PHPSESSID cookie name for both aMember & vBulletin via PHP.INI or USER.INI
    Essentially you are giving vBulletin its own uniquely named session cookie so it doesn't overwrite the session cookie aMember created.

    Example renamed session cookies:
    AMEMBER-PHPSESSID
    VBULLETIN-PHPSESID

    All caps for session cookie names are just a naming convention and not required.

    You only need solution (1) but I found it visibly easier to see what was going on by using solution (2) and naming both session cookies with clear names.

    CODE

    aMember user.ini code needs to be placed in /amember/ folder
    Just the session.name is needed for this solution, the other settings are used to improve cookie security.

    Code:
    ; Set PHPSESSID cookie name for both aMember & vBulletin to avoid keep login sessions separate
    session.cookie_domain = ".yourdomain.com"
    session.name = "AMEMBER-PHPSESSID"
    session.cookie_httponly = true
    session.cookie_secure = true
    ; session.cookie_samesite = "Strict"
    ; needs PHP 7.3 to set samesite cookie
    vBulletin user.ini code needs to be placed in /forums/ folder
    Just the session.name is needed for this solution, the other settings are used to improve cookie security.

    Code:
    ; Set PHPSESSID cookie name for both aMember & vBulletin to avoid keep login sessions separate
    session.cookie_domain = ".yourdomain.com"
    session.name = "VBULLETIN-PHPSESSID"
    session.cookie_httponly = true
    session.cookie_secure = true
    ; session.cookie_samesite = "Strict"
    ; needs PHP 7.3 to set samesite cookie
    Alternative way of setting aMember session cookie name
    /amember/application/configs/config.php

    Code:
    const AM_SESSION_NAME = 'AMEMBER-PHPSESSID';
    If you want to set the other cookie parameters here is the code.

    Code:
    session_set_cookie_params('10800', '/', '.yourdomain.com', true, true);
    You have to set the session timeout in seconds. This should be set to the same value you set via aMember admin interface for length of login session. In this example 180 minutes.

    Setup/Configuration > Login Page > User Session Lifetime (minutes)

    Note: aMember sets this in minutes but if using the config.php you need to set the equivalent number of seconds to match up.

    My thanks to aMember tech support team for their help in working the problem.

    Hope this helps someone in the same aMember = vBulletin integration situation.

    Aly

Share This Page