Login to WHMCS from external

[thomas.rodriguez]

I followed the API documentation to validate a login [1], which works fine for me.
However, when I set the session variables $_SESSION['uid'] and $_SESSION['upw'] as described there, with the returned userid and passwordhash from the validate login API call, I am not automatically logged in to WHMCS.

Via the forums I found that the passwordhash is (or was once?) computed as follows:
$_SESSION['upw'] = md5($userRow['id'] . $userRow['password'] . $_SERVER['REMOTE_ADDR']);

Because the API is not called from the clients IP but a servers IP, I suppose that this might cause it not to work. However, even if I create the $_SESSION['upw'] hash as described above I am not automatically logged in.

To verify the hashs I obtained the $_SESSION['upw'] variable after a regular login to WHMCS which indeed turns out to be different to the one I am returned by the API call validate login, as well as the manual construction.

Later I discovered AutoAuth [3]. It works for the first page of WHMCS that I enter. However, when I go to other pages of WHMCS the login seems to get lost again.

I even disabled Session IP Checking in the general settings -> security, without success. Also, the timestamp that I use with AutoAuth has the same time as the server time.

Does someone know how this can be succesfully done? Or how I can debug this process in any way in more detail?
Thanks

[jclarke]

I wouldn't use the session based authentication, that will only really work if the other application is on the same domain unless you tweak the cookie to save under the whmcs domain and can just be difficult to work with in general.

That being said, your best bet is to continue to try and get AutoAuth to work instead. Make sure you have disabled your other code that is changing the session variables just in case that is conflicting with AutoAuth and exit out of your browser completely to clear out any session cookies and try your autoauth again.

[thomas.rodriguez]

Thanks for your help. I tried to clear my browser data, session cookies etc. but without success.
I do put some other variables from external in the $_SESSION, but after I go from my site to WHMCS, WHMCS will overwrite any variables that may have conflicting names with my site, right? So if then I have an issue in WHMCS, I don't think it can be because of a conflict there?

Why does it work for the first page I enter in WHMCS, and a second one the session information is lost? Any ideas on this detail?

Here are the $_SESSION variables of the first site:
array(9) { ["email"]=> &string(17) "[email protected]" ["uid"]=> &string(1) "7" ["upw"]=> &string(32) "a4cd87549233cf900f8d83e617206e8d" ["Language"]=> &string(7) "english" ["calinkupdatecc"]=> &int(0) ["calinkupdatesq"]=> &int(0) }

And here, of another one if I continue to navigate in WHMCS:
array(3) { ["calinkupdatecc"]=> &int(0) ["calinkupdatesq"]=> &int(0) ["loginurlredirect"]=> &string(36) "/dach/clientarea.php?action=products" }

[thomas.rodriguez]

@jclarke: Do you use AutoAuth in the most recent version of WHMCS?

Or anybody else?

[jclarke]

Yeah, I use AutoAuth with WHMCS 5.0.3 and it works great. I just followed the instructions here: http://docs.whmcs.com/AutoAuth.

[thomas.rodriguez]

In case somebody gets into similar trouble: In my case the link to dologin.php of autoauth did not exactly match the WHMCS System URL (www. was missing).