LightOpenID is only using the first AuthURL returned despite individual PHP Sessions being started

620

Here's my login code below, it's pretty standard. Why would a user who presses login on steamcommunity. Below this code is a quick debug output I threw together which demonstrates that although 2 AuthURLs are being sent, for some reason LightOpenID is applying the first returned result to every user attempting to authenticate through steam at a similar time. I.e. getting to steamcommunity and signing in.

 <?
 ob_start();
 session_start();
if(isset($_GET['logout']))
{
    if(isset($_COOKIE[session_name()])):
        setcookie(session_name(), '', time()-7000000, '/');
    endif;

    if(isset($_COOKIE['login_user'])):
        setcookie('login_user', '', time()-7000000, '/');
    endif;

    session_unset();

    session_destroy();

    header("Location: index.php");
}

include "kern/apikey.php";
include "kern/openid.php";
$OpenID = new LightOpenID("xxxxxx.com");

if(!$OpenID->mode)
{
    if(isset($_GET['login']))
    {
        $OpenID->identity = "http://steamcommunity.com/openid";
        header("Location: " . $OpenID->authUrl());
    }
    if(!isset($_SESSION['SteamAuth']))
    {
        $login = "<div id=\"login\">In order to access the panel, you must <br /><br /> <a href=\"?login\"><img src=\"http://cdn.steamcommunity.com/public/images/signinthroughsteam/sits_large_noborder.png\"/></a></div>";
    }
} else if ($OpenID->mode == "cancel")
{
    echo "Authentication Cancelled...";
} else {
    if($OpenID->validate())
    {


        $id = $OpenID->identity;

        $_SESSION['SteamID64'] = str_replace("http://steamcommunity.com/openid/id/", "", $id);
        $_SESSION['SteamAuth'] = true;

        $Steam64 = str_replace("http://steamcommunity.com/openid/id/", "", $id);
        $profile = file_get_contents("http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key={$api}&steamids={$Steam64}");
        $steam = json_decode($profile, true);
        $communityid = $steam['response']['players'][0]['steamid'];
        $authserver = bcsub($communityid, '76561197960265728') & 1;
        $authid = (bcsub($communityid, '76561197960265728')-$authserver)/2;
        $_SESSION['SteamID'] = "STEAM_0:" . $authserver . ":" . $authid;
        $_SESSION['SteamName'] = $steam['response']['players'][0]['personaname'];

        header("Location: index.php");
    } else {
        echo "User is not logged in";
    }
}

?>

<html>
<body>
<div id="title">Login</div>
<div id="content">
<?
    echo $login;
?>
</div>
</body>
</html>

See the log file below which indicates the AuthURL is being sent twice, but only a single response is actually being used:

[09-Nov-2014 14:09:52 America/Chicago] Begin login!
[09-Nov-2014 14:09:52 America/Chicago] Sent authurl!xxxxx

[09-Nov-2014 14:10:03 America/Chicago] Begin login!
[09-Nov-2014 14:10:03 America/Chicago] Sent authurl!xxxxx

[09-Nov-2014 14:10:10 America/Chicago] Begin login!
[09-Nov-2014 14:10:11 America/Chicago] Got identity!http://steamcommunity.com/openid/id/xxxx

[09-Nov-2014 14:10:11 America/Chicago] Using Steam64!xxxx

[09-Nov-2014 14:10:11 America/Chicago] Using string steam64!xxxx

As you can see, although 2 AuthURLs are being sent at a similar time, as soon as one identity is returned it applies it to both users, meaning people get logged into the incorrect accounts.

This issue appears entirely reproducible using the https://github.com/SmItH197/SteamAuthentication PHP examples.

Steps to reproduce: 1. First user clicks "Log in through steam", hangs at the steamcommunity.com OpenID login. 2. Second user clicks "Log in through steam", hands at steamcommunity.com login. 3. Both users then click through, one will be logged in as the other.

368

Answer

Solution:

Tested this on an external webserver, turns out it seems to be due to server/PHP config down the line, not entirely sure why it's happening or what the cause is, so my solution will be to move my steamauth to another server for now.

People are also looking for solutions to the problem: php - Syntax error in sql query for laravel

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.