[solved] External login after 3.2.6

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Post Reply
User avatar
Aurelienazerty
Registered User
Posts: 169
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

[solved] External login after 3.2.6

Post by Aurelienazerty »

Hi,
What version of phpBB are you using? phpBB 3.2.7
What is your board's URL? https://www.team-azerty.com/forum/
Who do you host your board with? ovh vps
How did you install your board? I used the download package from phpBB.com
What language(s) is your board currently using? French
Which database type/version are you using? MariaDB
What is your level of experience? Comfortable with PHP and phpBB
Please describe your problem. I made an external form login to my phpBB board, it used to work before 3.2.6, but nows it doesn't work any more.
I had the "The submitted form was invalid" message. If I made an other login attemps from forum, it's work.

In my form I have :

Code: Select all

<form action="/forum/ucp.php?mode=login&amp;sid=082eccbbddb142324d44bb81556c3194" method="post" id="login5cddc34354f83" data-focus="loginusername5cddc34354f83">
<label for="loginusername5cddc34354f83">Pseudo :</label><br>
<input name="username" type="text" size="15" id="loginusername5cddc34354f83"><br>
<label for="loginpassword5cddc34354f83">Mot de passe :</label><br>
<input name="password" type="password" size="15" id="loginpassword5cddc34354f83"><br> <br>
<input type="submit" name="login" value="Connexion" class="awi-button login">
<input type="hidden" name="autologin" value="true">
<input name="form_token" id="form_token" value="35d2f0a8a994b5941959e7893f94047e5fee6342" type="hidden">
<input type="hidden" name="sid" value="082eccbbddb142324d44bb81556c3194">
<input type="hidden" name="creation_time" value="1558037315">
</form>
The field
  • creation_time = time()
  • form_token =

    Code: Select all

    $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
    $token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);
  • sid = $user->data['session_id']
At the top of my script I have :

Code: Select all

$user->session_begin();
$auth->acl($user->data);
$user->setup();
$request = new \phpbb\request\request();
$request->enable_super_globals();
Thank's for your help.
Last edited by Aurelienazerty on Sat May 18, 2019 2:46 pm, edited 2 times in total.

User avatar
3Di
Former Team Member
Posts: 14720
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: External login after 3.2.6

Post by 3Di »

That's custom coding though.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
:studio_microphone: Premium extensions @ The Studio

User avatar
EA117
Registered User
Posts: 1253
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: External login after 3.2.6

Post by EA117 »

You might have already accounted for it, but you showed "creation_time = time()" and then the form_token calculation used "$now". So I presume the actual code is "creation_time = $now", so that there is no chance that a creation_time is a different time than was used in the form_token calculation.

There isn't anything else "obviously wrong", presuming that you actually do have access to the user class data, as implied by the code shown. If this continues to not work, that's probably where I would debug next: Making sure the user data involved in the calculation you're making on your private form "looks valid" as compared to when you debug the same values on a "real" login form.

(Not the SHA1 hash of the result, since that will always "look valid." I'm saying debug to check you're getting an actual user_form_salt value, and actual session_id value, etc., before they are hashed; in your private form as compared the phpBB-presented form.)

You may have seen the discussion in this thread. You might try turning off the "Tie forms to guest sessions:" setting in the ACP General tab, Server configuration, Security settings to see if it affects your problem at all.

After turning off "Tie forms to guest sessions:", if your private login page is still failing with "invalid form", there really is some kind of coding problem yet to be identified. If the issue goes away after turning off "Tie forms to guest sessions:", then you may simply be experiencing the same issue as the two people who have reported this problem even with the standard phpBB login forms, and simply need to enable this workaround for now.

User avatar
Aurelienazerty
Registered User
Posts: 169
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

Re: External login after 3.2.6

Post by Aurelienazerty »

EA117 wrote:
Thu May 16, 2019 10:21 pm
You may have seen the discussion in this thread. You might try turning off the "Tie forms to guest sessions:" setting in the ACP General tab, Server configuration, Security settings to see if it affects your problem at all.

After turning off "Tie forms to guest sessions:", if your private login page is still failing with "invalid form", there really is some kind of coding problem yet to be identified. If the issue goes away after turning off "Tie forms to guest sessions:", then you may simply be experiencing the same issue as the two people who have reported this problem even with the standard phpBB login forms, and simply need to enable this workaround for now.
Turning on, turninf off, the problem is the same.

User avatar
EA117
Registered User
Posts: 1253
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: External login after 3.2.6

Post by EA117 »

Aurelienazerty wrote:
Sat May 18, 2019 7:52 am
Turning on, turninf off, the problem is the same.
Well, that confirms the issue must be with the code created for the separate HTML login page, then. Meaning the cause of "form invalid" could be any one of these conditions:
  • The $form_name you're including in the hash is not "login".
  • The creation_time value in the form isn't the same as the $now included in the value that was hashed.
  • The user_form_salt value retrieved by your code is different than the value phpBB retrieves for your session.
  • The session_id value retrieved by your code is different than the value phpBB retrieves for your session.
For the last two conditions listed, the only way to tell which of those condition(s) is true is to debug and compare the values received in your code to the values add_form_key() uses in the actual phpBB login form that works. Presumably the reason for either of these conditions to be wrong is because you're still missing some portion of the setup required to have "the same execution environment as phpBB pages have" with regard to the user or session information.

User avatar
Aurelienazerty
Registered User
Posts: 169
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

Re: External login after 3.2.6

Post by Aurelienazerty »

EA117 wrote:
Sat May 18, 2019 11:09 am
The $form_name you're including in the hash is not "login".
Indead, wrong copy/past, the $form_name was "posting" instead "login".

So, for who's have the same issue, for external login :
  1. Include phpBB :

    Code: Select all

    include($phpbb_root_path . 'common.' . $phpEx);
    include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
    include($phpbb_root_path . 'includes/message_parser.' . $phpEx);
    
    //
    // Start session management
    //
    $user->session_begin();
    $auth->acl($user->data);
    $user->setup();
    //include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
    $id_user = $user->data['user_id'];
    
    $request = new \phpbb\request\request();
    $request->enable_super_globals();
  2. Token :

    Code: Select all

    $now = time();
    $form_name = 'login';
    $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
    $token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);
  3. Form :

    Code: Select all

    <form action="/forum/ucp.php?mode=login" method="post" id="login5cddc34354f83" data-focus="loginusername5cddc34354f83">
    <label for="loginusername5cddc34354f83">Pseudo :</label><br>
    <input name="username" type="text" size="15" id="loginusername5cddc34354f83"><br>
    <label for="loginpassword5cddc34354f83">Mot de passe :</label><br>
    <input name="password" type="password" size="15" id="loginpassword5cddc34354f83"><br> <br>
    <input type="submit" name="login" value="Connexion" class="awi-button login">
    <input type="hidden" name="autologin" value="true">
    <input name="form_token" id="form_token" value="<?php echo $request->variable('form_token', $token) ?>" type="hidden">
    <input type="hidden" name="sid" value="<?php echo $user->data['session_id'] ?>">
    <input type="hidden" name="creation_time" value="<?php echo $now  ?>">
    </form>
thank's for help

ProvoAggie
Registered User
Posts: 1
Joined: Tue Jul 23, 2019 11:25 pm

Re: [solved] External login after 3.2.6

Post by ProvoAggie »

I'm experiencing this same issue on phpBB 3.2.7. Did something change again with 3.2.7 that breaks the previous solution. I generated a file that literally just has the code from the solution and it doesn't appear to work.

https://www.usufans.com/loginform.php
Username: TestAccount
Password: 12345678

That account doesn't work from the login form page but it works in phpBB. It appears that the additional variables are generating the way that they should be. Any ideas?

User avatar
EA117
Registered User
Posts: 1253
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: [solved] External login after 3.2.6

Post by EA117 »

Something did change again between phpBB 3.2.6 and phpBB 3.2.7 related to the login form token, but not in a way which should have affected your solution.

Instead of providing templates with the new form token through the new {S_FORM_TOKEN_LOGIN} template variable that was created for it, phpBB 3.2.7 actually passes the new from token through the {S_LOGIN_REDIRECT} template variable, which already existed. This is so even if someone continues using a style which has not been updated for phpBB 3.2.6 and later, login will continue to work (for now) rather than being such a prominent phpBB 3.2.6 / phpBB 3.2.7 post-update issue.

But you're not using either the {S_LOGIN_REDIRECT} or {S_FORM_TOKEN_LOGIN} template variables to construct the form. And the update doesn't modify anything about the login form field names or contents that ucp.php?mode=login is going to be expecting. So this phpBB 3.2.7 change really doesn't mean anything to your external login form.

I'm seeing a few different results right now:
  • If I clear cookies and start at https://www.usufans.com/loginform.php, the form looks fine, the SID value in the form matches what's also saved in cookies, a valid creation time is set, etc. Submitting correct credentials from that form results in "no error". I'm simply taken to ucp.php?mode=login without any login failure message, as though I haven't made any attempt to login yet.
  • At that point, in the ucp.php?mode=login page which is now being displayed to me, if I try to use your login fields up in the top header of the page, entering correct credentials results in "The submitted form is invalid." Re-attempting login using the same login fields at the top of the page will produce the same "invalid form" result again and again.
  • If I stop retrying with the login fields in the header at the top of the page, and instead use "the main login fields" in the ucp.php?mode=login page, entering correct credentials will login successfully.
  • Additionally, whether I clear cookies or not, if I simply use "the main login form" on the ucp.acp?mode=login page (the one in the middle of the page, presented as proSilver would also present it), entering correct credentials in this form always results in a successful login, under any of the previous scenarios.
I can't tell that anything is wrong in the https://www.usufans.com/loginform.php case; you would have to just debug the login_box() code once ucp.php?mode=login is invoked to post the login form, and follow the code to see why the login is thought to be not successful, and maybe what code path occurred which bypassed displaying any error.

For the cases where "login form fields in the header at the top of the page result in submitted form invalid", what I see is that the calculated form_token value (the hashed data) is different between your form and the "the main login form". Your "creation time" values are the same, and the SID values are the same. But even though this means you you should have ended up calculating the same hash value given the exact same input data, you don't. So something about the data you use for your form is apparently different from the main form, in this case.

When I've cleared cookies and can successfully use the login form fields in the header at the top of the page, I also observe that the hashed form_token value is the same between the two login forms, too. So the data you used to calculate the hash was completely identical in that success case.

One thing which looks potentially wrong to me is that in the "3. Form" section of your earlier post, you used $user->data['session_id'] to put the SID value into the actual login form. As opposed to $user->session_id, which is where it was obtained for the hashing of form_token. I expect the former is retrieving the session_id value currently saved in the database, which I suppose may or may not be "the session I'm currently in" (yet). The code should probably be pulling from $user->session_id in both cases, to get the "live" session ID.

That doesn't seem very likely for being the root cause, though. Maybe it is if your "3. Form" code represents how you're constructing the login form fields in the header at the top of the page. (As opposed to simply using {S_LOGIN_REDIRECT} and {S_FORM_TOKEN_LOGIN} there, since you're inside a regular style template at that point.) Hmm, I guess you must be using your own code for the login form at the top of the page, because if you were using {S_LOGIN_REDIRECT} and {S_FORM_TOKEN_LOGIN} for that form, there would be 0% chance of the login_key values being different. So possibly the $user->session_id change could fix things.

Otherwise, if that change doesn't fix things, "debug login_box() to see why login is thought to have failed when using https://www.usufans.com/loginform.php", and then separately "debug why you can get a wrong/different form_token value in your header login form as compared to the main login form on ucp.php?mode=login", are the only suggestions I can make based on what I've seen. Because the root cause isn't obvious to me, either.

Post Reply

Return to “phpBB Custom Coding”