[solved] External login after 3.2.6

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Post Reply
User avatar
Aurelienazerty
Registered User
Posts: 154
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

[solved] External login after 3.2.6

Post by Aurelienazerty » Thu May 16, 2019 8:13 pm

Hi,
What version of phpBB are you using? phpBB 3.2.7
What is your board's URL? https://www.team-azerty.com/forum/
Who do you host your board with? ovh vps
How did you install your board? I used the download package from phpBB.com
What language(s) is your board currently using? French
Which database type/version are you using? MariaDB
What is your level of experience? Comfortable with PHP and phpBB
Please describe your problem. I made an external form login to my phpBB board, it used to work before 3.2.6, but nows it doesn't work any more.
I had the "The submitted form was invalid" message. If I made an other login attemps from forum, it's work.

In my form I have :

Code: Select all

<form action="/forum/ucp.php?mode=login&amp;sid=082eccbbddb142324d44bb81556c3194" method="post" id="login5cddc34354f83" data-focus="loginusername5cddc34354f83">
<label for="loginusername5cddc34354f83">Pseudo :</label><br>
<input name="username" type="text" size="15" id="loginusername5cddc34354f83"><br>
<label for="loginpassword5cddc34354f83">Mot de passe :</label><br>
<input name="password" type="password" size="15" id="loginpassword5cddc34354f83"><br> <br>
<input type="submit" name="login" value="Connexion" class="awi-button login">
<input type="hidden" name="autologin" value="true">
<input name="form_token" id="form_token" value="35d2f0a8a994b5941959e7893f94047e5fee6342" type="hidden">
<input type="hidden" name="sid" value="082eccbbddb142324d44bb81556c3194">
<input type="hidden" name="creation_time" value="1558037315">
</form>
The field
  • creation_time = time()
  • form_token =

    Code: Select all

    $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
    $token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);
  • sid = $user->data['session_id']
At the top of my script I have :

Code: Select all

$user->session_begin();
$auth->acl($user->data);
$user->setup();
$request = new \phpbb\request\request();
$request->enable_super_globals();
Thank's for your help.
Last edited by Aurelienazerty on Sat May 18, 2019 2:46 pm, edited 2 times in total.

User avatar
3Di
Former Team Member
Posts: 13664
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: External login after 3.2.6

Post by 3Di » Thu May 16, 2019 8:16 pm

That's custom coding though.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
EA117
Registered User
Posts: 584
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: External login after 3.2.6

Post by EA117 » Thu May 16, 2019 10:21 pm

You might have already accounted for it, but you showed "creation_time = time()" and then the form_token calculation used "$now". So I presume the actual code is "creation_time = $now", so that there is no chance that a creation_time is a different time than was used in the form_token calculation.

There isn't anything else "obviously wrong", presuming that you actually do have access to the user class data, as implied by the code shown. If this continues to not work, that's probably where I would debug next: Making sure the user data involved in the calculation you're making on your private form "looks valid" as compared to when you debug the same values on a "real" login form.

(Not the SHA1 hash of the result, since that will always "look valid." I'm saying debug to check you're getting an actual user_form_salt value, and actual session_id value, etc., before they are hashed; in your private form as compared the phpBB-presented form.)

You may have seen the discussion in this thread. You might try turning off the "Tie forms to guest sessions:" setting in the ACP General tab, Server configuration, Security settings to see if it affects your problem at all.

After turning off "Tie forms to guest sessions:", if your private login page is still failing with "invalid form", there really is some kind of coding problem yet to be identified. If the issue goes away after turning off "Tie forms to guest sessions:", then you may simply be experiencing the same issue as the two people who have reported this problem even with the standard phpBB login forms, and simply need to enable this workaround for now.

User avatar
Aurelienazerty
Registered User
Posts: 154
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

Re: External login after 3.2.6

Post by Aurelienazerty » Sat May 18, 2019 7:52 am

EA117 wrote:
Thu May 16, 2019 10:21 pm
You may have seen the discussion in this thread. You might try turning off the "Tie forms to guest sessions:" setting in the ACP General tab, Server configuration, Security settings to see if it affects your problem at all.

After turning off "Tie forms to guest sessions:", if your private login page is still failing with "invalid form", there really is some kind of coding problem yet to be identified. If the issue goes away after turning off "Tie forms to guest sessions:", then you may simply be experiencing the same issue as the two people who have reported this problem even with the standard phpBB login forms, and simply need to enable this workaround for now.
Turning on, turninf off, the problem is the same.

User avatar
EA117
Registered User
Posts: 584
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: External login after 3.2.6

Post by EA117 » Sat May 18, 2019 11:09 am

Aurelienazerty wrote:
Sat May 18, 2019 7:52 am
Turning on, turninf off, the problem is the same.
Well, that confirms the issue must be with the code created for the separate HTML login page, then. Meaning the cause of "form invalid" could be any one of these conditions:
  • The $form_name you're including in the hash is not "login".
  • The creation_time value in the form isn't the same as the $now included in the value that was hashed.
  • The user_form_salt value retrieved by your code is different than the value phpBB retrieves for your session.
  • The session_id value retrieved by your code is different than the value phpBB retrieves for your session.
For the last two conditions listed, the only way to tell which of those condition(s) is true is to debug and compare the values received in your code to the values add_form_key() uses in the actual phpBB login form that works. Presumably the reason for either of these conditions to be wrong is because you're still missing some portion of the setup required to have "the same execution environment as phpBB pages have" with regard to the user or session information.

User avatar
Aurelienazerty
Registered User
Posts: 154
Joined: Sat Jan 08, 2005 8:21 pm
Contact:

Re: External login after 3.2.6

Post by Aurelienazerty » Sat May 18, 2019 2:46 pm

EA117 wrote:
Sat May 18, 2019 11:09 am
The $form_name you're including in the hash is not "login".
Indead, wrong copy/past, the $form_name was "posting" instead "login".

So, for who's have the same issue, for external login :
  1. Include phpBB :

    Code: Select all

    include($phpbb_root_path . 'common.' . $phpEx);
    include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
    include($phpbb_root_path . 'includes/message_parser.' . $phpEx);
    
    //
    // Start session management
    //
    $user->session_begin();
    $auth->acl($user->data);
    $user->setup();
    //include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
    $id_user = $user->data['user_id'];
    
    $request = new \phpbb\request\request();
    $request->enable_super_globals();
  2. Token :

    Code: Select all

    $now = time();
    $form_name = 'login';
    $token_sid = ($user->data['user_id'] == ANONYMOUS && !empty($config['form_token_sid_guests'])) ? $user->session_id : '';
    $token = sha1($now . $user->data['user_form_salt'] . $form_name . $token_sid);
  3. Form :

    Code: Select all

    <form action="/forum/ucp.php?mode=login" method="post" id="login5cddc34354f83" data-focus="loginusername5cddc34354f83">
    <label for="loginusername5cddc34354f83">Pseudo :</label><br>
    <input name="username" type="text" size="15" id="loginusername5cddc34354f83"><br>
    <label for="loginpassword5cddc34354f83">Mot de passe :</label><br>
    <input name="password" type="password" size="15" id="loginpassword5cddc34354f83"><br> <br>
    <input type="submit" name="login" value="Connexion" class="awi-button login">
    <input type="hidden" name="autologin" value="true">
    <input name="form_token" id="form_token" value="<?php echo $request->variable('form_token', $token) ?>" type="hidden">
    <input type="hidden" name="sid" value="<?php echo $user->data['session_id'] ?>">
    <input type="hidden" name="creation_time" value="<?php echo $now  ?>">
    </form>
thank's for help

Post Reply

Return to “phpBB Custom Coding”