Page 1 of 3

Using phpBB with another login system

Posted: Sat Jan 13, 2007 4:13 pm
by senyahnoj
Hello

I'm trying to fathom a way to hack phpBB to integrate more smoothly with a website which has another login system. I want to be able to login through the main website and then pass-through authentication tokens (e.g. a common user_id) to phpBB contained within and link to it's auth tables.

Has anyone else done this? Be interested to hear how they went about it.

Thanks

Posted: Sat Jan 13, 2007 4:56 pm
by Dog Cow
Well, I've never done this, but I think all you need to do is just INSERT a record into phpbb_sessions. You'll need to generate a session_id as well, and have that as a cookie on the user's local computer.

Posted: Sat Jan 13, 2007 7:39 pm
by senyahnoj
You're right!

Well I wasn't expecting anything that beautifully simple - works like a charm - thank you very much :D

Posted: Mon Jan 15, 2007 9:57 pm
by Dog Cow
You're welcome. :D

Posted: Fri Feb 02, 2007 4:11 am
by pyrokenesis
I'm re-igniting this post because it seems to be what I need.

I have the following code:

Inside a database class I created the following function:

Code: Select all

/**
 * addPHPBBSessionInfo - Inserts the given session
 * details into the phpbb_sessions table.
 * Returns true on success, false otherwise.
 */
function addPHPBBSessionInfo($session_id, $session_user_id, $session_start, $session_time, $session_ip, $session_logged_in)
{
      $session_ip = $this->encode_ip($session_ip);
      $session_time = time();
      $q = "INSERT INTO phpbb_database_name.phpbb_sessions VALUES ('$session_id', $session_user_id, $session_start, $session_time, '$session_ip', 0, $session_logged_in, 0)";
      return mysql_query($q, $this->connection);
}
I then borrowed the encode_ip() function from the phpbb functions.php file:

Code: Select all

  
function encode_ip($dotquad_ip)
{
      $ip_sep = explode('.', $dotquad_ip);
      return sprintf('%02x%02x%02x%02x', $ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3]);
}
Lastly, I make this call inside my session class:

Code: Select all

$database->addPHPBBSessionInfo($_SESSION['sid'], $this->phpbb_user_id, $this->time, $this->time, $_SERVER['REMOTE_ADDR'], $this->logged_in);
The full session class and database class, along with the rest of the script can be found here:

http://evolt.org/node/60384

Problem is, nothing happens. I'm gathering from the previous conclusion to this post, that every time someone logs in to my main site, if I insert the relevant session data into phpbb_sessions, they will be logged into my forums as well.

I'm guessing as well that if a user logs out via the main site that I would have some kind of function that removes that insert from the table using "where session_id = {that particular session id}".

Can anyone tell I'm a noobie... :)

Posted: Fri Feb 02, 2007 3:12 pm
by pyrokenesis
Can this even be done??? Anybody............. :cry:

Posted: Fri Feb 02, 2007 3:42 pm
by drathbun
I will move your question to the MOD Writers forum, as that is perhaps a more likely place to get a response.

Posted: Tue Feb 06, 2007 10:30 am
by pyrokenesis
So I was being really stoopid... :? and not passing the parameters correctly, and taking the wrong parameters as well.

I'm now doing this:

Code: Select all

/** 
 * addPHPBBSessionInfo - Inserts the given session 
 * details into the phpbb_sessions table. 
 * Returns true on success, false otherwise. 
 */ 
function addPHPBBSessionInfo($session_id, $session_user_id, $session_ip) 
{ 
      $session_ip = $this->encode_ip($session_ip); 
      $session_time = time();
      $session_start = time(); 
      $q = "INSERT INTO phpbb_database_name.phpbb_sessions VALUES ('$session_id', $session_user_id, $session_start, $session_time, '$session_ip', 0, 1, 0)"; 
      return mysql_query($q); 
}
Thus my call in the session class is:

Code: Select all

$sessionid->session_id();
$database->addPHPBBSessionInfo($sessionid, $this->phpbb_user_id, $_SERVER['REMOTE_ADDR']);
Thus an active user is inserted into the sessions table!!! Hoorah... errr, well, not quite!

The user is deemed to be online but not shown as logged in... I'm guessing I need to add an equivalent 'userdata' array to my session class to say that the user is logged in... or sumfinck? :? Am I on the right track?

I know there's lots of you out there saying, "but why bypass the beautiful login system and session management of phpbb?" Well this quick fix will suffice for now and then I will work from the ground up (when I have time), using phpbb as my foundation. It just makes sense since the integration will be brilliant. Infact, I'll probably wait until Olympus gets to RC1 and then start with that , adding my favourite mods etc, etc.

Note to self: stop coding in Notepad2, start using a PHP IDE!

Login sessions

Posted: Tue Feb 06, 2007 7:28 pm
by jmurch
pyrokenesis,

I am just going down the same path. Have you gotten this working yet?

Regards, Jeff

Posted: Wed Feb 07, 2007 12:41 pm
by pyrokenesis
Nope not past the point I was in the last post. Not enough hours in the day.

Bothersome girlfriend and bothersome fulltime work holding me back.

It will not defeat me! :wink:

Posted: Tue Feb 20, 2007 2:57 pm
by pyrokenesis
Ok so it may of defeated me... :oops: , but only because of time restraints!

Decided to use phpbb's session management and then re-write my session class... not finished but seems to be working.

How does one use the append_sid() method to keep the session on pages outside the forum? Especially if I want to logout from outside the forum?

Posted: Mon Mar 05, 2007 3:56 pm
by pyrokenesis
It be done. :D

Using phpBB to login (may be a ugly hacked solution but hey...), I then start the session on my main site and just add the relevant variables for the user. Thus when you login, as I'm using the MPS mod, I redirect users to their profiles. They can then navigate back to the main site and they will be logged in their as well.

You can also login directly from the forums, and you will still be logged in on the main site.

If anyones interested (probably not) I'll post the code here later as I do not have it now.

Does anyone know how to redirect to a page of your choice when logging out (i.e. the referrer), as at the moment you are redirected to the forum index page?

Posted: Mon Mar 05, 2007 7:43 pm
by DejanPP
Post code here, I will need this soon (have no time to implement that right now, too buzy with other details). You may be interesed in something compatible with that what I did yesterday, user creation and update from another site :
http://www.phpbb.com/phpBB/viewtopic.php?t=524408

Anyway, what you doing is problem and also may be security problem because you can't write cookie on site No1 and to read same cookie on site No2.

Because of that you need to redirect user to some .php page which will trust him and login auto but this become security problem. Because of all of that need to be done more complicated :

Let's call one site "main site" and forum just "forum"

On main site do remote (if this is .asp do "MSXML2.ServerHttpRequest", if this is .php find on forum page how they chkecing is your server version up to date, I seen that but I am not familiar with php and didn't tryed to understeand). From main site then do remote post to forum and send username / password, would be good idea if forum .php page checking IP address and receiving request only from your main web site.
Forum .php page shall authenticate user and generate session, session need to be sent by same remote call connection. Once session is created just generate link for forum and this user and let him click or redirect him.

Pay atention that this is ONLY ONE safe method because your main site SERVER SIDE communicating with forum, any other manner with user redirection can become security problem.

Well, that is not big deal to be done but your code can save me 1 hour because of creating session etc :)

BTW. In my code is used MSXML2.HttpRequest, you need to use MSXML2.ServerHttpRequest because need to set resolve/connect/post/receive timeouts, else, you need to wait by default 20 seconds in case if forum is unreachable.

Posted: Mon Mar 05, 2007 9:01 pm
by pyrokenesis
I'm not sure it is a security issue, since both databases are on the same server, and the forum is a subsite of the main site.

The method I use effectively starts two sessions and does not need to set the cookie for the main site (which is why I said it's a bit of a hack but it works).

The code checks to see if a user is logged in via the forums, if so, you are automatically logged in on the main site.

I'm no expert but I'm struggling to see the security flaw!!!

Feel free to give me a digital slap if I'm being stupid :lol:

Here is the code:

Code: Select all

<?php
$phpbb_root_path = './forums/';
						
define('IN_PHPBB', true);

//
// phpBB related files
//

include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.' . $phpEx);
include($phpbb_root_path . 'includes/bbcode.' . $phpEx);

//
// start session management
//

$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);
	
if($userdata['session_logged_in']) 
{
	$db = mysql_connect(DB_SERVER, DB_USER, DB_PASS);
	mysql_select_db(DB_NAME,$db);
	$session->startSession();
	$session->userinfo  = $database->getUserInfo($userdata['username']);
	$session->logged_in = 1;
	$session->username  = $_SESSION['username'] = $userdata['username'];
	$session->userid    = $_SESSION['userid']   = $session->userinfo['userid'];
	$session->userlevel = $session->userinfo['userlevel'];
	$session->time		= $userdata['session_start'];
	
	$database->updateUserField($session->username, "userid", $session->userid);
	$database->addActiveUser($session->username, $session->time);
	$database->removeActiveGuest($_SERVER['REMOTE_ADDR']);	
}
$db = mysql_connect(DB_SERVER, DB_USER, DB_PASS);
mysql_select_db(DB_NAME,$db);
?>
This code needs to be included in every page of your main site.

Not sure about the stuff your doing DejanPP, looks interesting though.

Posted: Mon Mar 05, 2007 11:15 pm
by DejanPP
if you doing that on same server this is easy, what I were doing are two servers, another one is windows and asp.