[mlimg]
[xlang:en]

   == AUTO-LOGIN V3 (REMEMBER ME) hacked files for XOOPS 2.0.16 ==

[b]This package is only for 2.0.16 released from www.xoops.org. Don't apply it to 2.0.16JP or higher[/b]

------------------------------------------------------------------

Hacked core files to be able to login automatically (+ alpha).
This package is for XOOPS 2.0.16


[b]USAGE:[/b]
1) Overwrite these files into your XOOPS 2.0.16
2) update system module. If you are using a custom template set you will need to edit the system_block_login.html for that set. (It is recommended to use tplsadmin module)
3) If you cannot find the "remember me" checkbox in the form for loggin-in, clear php files under template_c/

AUTO-LOGIN V3 is a little safer than V2.
V3 stores user's password as md5 encoded with time limitation.
If cookie is stolen by someone, he can't login after auto-login expiration.
This means that short expiration makes your site a little bit safer.

The feature of Retry or Repost is implemented with AUTO-LOGIN V2.

- You can access dynamic contents directly with autologin without CSRF vulnerablities.

- You can retry to post even if you are timed-out from the session.

These features are implemented in session_confirm.php.
Don't forget uploding this file.


If you want to set the life time of remembering, insert a line into mainfile.php like this:
[code]
define('XOOPS_AUTOLOGIN_LIFETIME',2678400);
[/code]
This example specifies the life time as 1 month.
The default value is 604800 (= 1week).


This hack stores the password as an MD5 hash on the client, but this is vulnerable to dictionary attacks, and simple copying to another computer.

This hack is a potential security hole, don't enable it lightly.


[b]HACKED POINTS:[/b]

You can easily find hacked points by searching the words 'GIJ'.


[b]ABOUT + ALPHA:[/b]

This hack also modifies your XOOPS can be logged in by email.
Users can login not only uname+password but also email+password.
Of course, even the users logged in by email+password can login automatically on/after next access.

And this hack also disables "Authentication Factory" -the new feature of 2.0.16-.
If you want to use this feature, you'd better upgrade your XOOPS into 2.2/2.3


[/xlang:en]
[xlang:ja]

XOOPS 2.0.16ѤΥȥϥå(+)Ѥߥեѥå (V3)

[b]ܲѤǤ2.0.16JP ѤǤϤʤΤǡդƤ[/b]

--------------------------------------------------

XOOPS 2.0.16 ˼ưǽͿ뤿ΥѥåǤ
Υ˴ޤޤե򡢤ȤXOOPS 2.0.16 ˾񤭤뤳ȤǡưǽͭˤʤޤʼºݤˤϾ񤭸ˡƥ⥸塼򥢥åץǡȤ뤫֥åΥƥץ졼ȤԽɬפޤ

ʤ2.0.16 Ǥϡƥץ졼ȥåν礭Ѥäᡢñ˥⥸塼륢åץǡȤǤϡɽƤڤؤʤȤޤʻ伫Ȥ2.0.16ΥХȹͤƤޤ

ξϡtemplates_c եphpե򤹤٤ƺƤߤƤ

V3 Ǥϡåؤ¸㴳Ѥ뤳Ȥǡ¿ޥˤʤޤ
դmd5󥳡ɤ줿ѥɤå¸ޤΤǡïåȤƤ⡢δ°ʹߤǤХޤ
Ĥޤꡢȥͭ¤פʤ櫓ǡǥեȤΣ֤򣱥䣱ǯ˱ĹȡȤαդ

ȥV2ǡȥ饤ǽĤޤΥȥHackǤϡCSRFкΤˡʤꥳƥĤ˥ȥȥåפФ뤳Ȥ¿ޤϤäsession_confirm.php˥쥯ȤƤ顢ξޤ

session_confirm.phpV2եǤ˺줺˥åץɤƤ

ޤƤ˥å󤬻ڤǡƤȤȤи򤪻⾯ʤʤȻפޤΥȥV2ͭˤƤ桼ǤСټư󤷤ơľ˺ƤεͿޤV2̵ܶǽ


Hackϡunamemd5ϥåѤΥѥɤ򥯥å¸ΤǤ֤ͭϡǥեȤǣ(604800)ȤʤäƤޤ

⤷ͤѹϡmainfile.php ФƲΤ褦ˣɲäƲ
[code]
define('XOOPS_AUTOLOGIN_LIFETIME',2678400);
[/code]
ιԤϾʤȤ⡢include XOOPS_ROOT_PATH."/include/common.php"; Ƚ񤫤줿Ԥˤɬפޤ


ϽפǤå˥󤬻ĤäƤȤȤϡïޤǽޤѥԥ塼ʤɤѤκݤˤϡɬȤƤ齪λ褦˥ʥ󥹤ɬפǤ礦


2.0.6ʹߤΥȥHackǤϡCSRFкΤˡΤĤURLˤʤ꼫ư󤷤Ƥˤϡۡڡ˶쥯ȤޤäȶäΤޤ󤬡Τ򤷤Ƥ


ȡΥ֤񤭤ȡemailɥ쥹ǤǤHack⼫ưŪͭˤʤޤ
񤯤ȡRyujiemailLoginHackƱʤȻפ줽ǤޤǤȺäƤޤ󡣥桼̾ȤƤʸˡ@ ޤޤƤСemail ˤȿꤷƥȤHackǤ

դ˸СʬHackս⾯ʤƺѤǤޤŪˤϡinclude/checklogin.php ѹǤΤǡСؤɿ⾯ϳڤˤʤ뤫⤷ޤ

ǶΥåԥ󥰥ȤǤϡֹǤ᡼륢ɥ쥹Ǥդ롢ȤΤƤƤΤǡʤ˼䤹HackǤϤʤǤ礦


ޤinclude/common.php ʤɤϡ¾HackȥХåƥ󥰤䤹Τǡ񤭤Ⱥ륱⤢Ǥ礦ξϡΥ֤γƥեˤĤơ'GIJ'ȤʸǸСHackս꤬ɤȽϤǤ

ʤܲ2.0.16ˤϡ2.2/2.3ΥХåݡ(?)ǡǧǤ롢ʤƵǽĤƤޤHack򤫤ȤϼưŪ˥󥻥뤵ޤ⤷ǧѤΤǤСľ2.2/2.3Ѥ٤ȻϹͤƤޤ


                    by GIJOE    http://www.peak.ne.jp/xoops/
[xlang:ja]
