Post with c# application

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

Forum rules
READ: Board-Wide Rules and Regulations

Post Reply
Registered User
Posts: 1
Joined: Mon May 11, 2020 4:45 pm

Post with c# application

Post by gubic76 »


First of all, sorry if I didn't post in the right place (I'm a bit lost here ^^)

In my company we use a PHPBB forum to monitor the service and in particular requests to external contractors.

Our Forum is linked to our Active Directory.

To involve our service providers, we open tickets via internal tools (in C #) then we inform the forum to ensure follow-up.

I would like to modify our tool so that it opens a new subject for each new ticket.

I tried the following code: viewtopic.php?p=13009841#p13009841

I have just tested the connection to the forum for the moment but the request always returns the value 1 for the cookie: phpbb3_xxxx_u

I have tried various forms for AD users, and I have tried several users

domain \ user

Anyone among you will have an idea or even already developed this kind of code.

Thanks in advance gubic76
User avatar
Registered User
Posts: 5782
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン

Re: Post with c# application

Post by AmigoJack »

The linked code neglects using the SID which you get with every request and also have to send either thru cookies or URI parameters. Your program must do what a web browser does: adhering to HTTP. Capture the HTTP traffic from your browser for the process of requesting a board's login page until finally being signed in - you'll then notice what's been received and sent in cookies and payloads.

Broken down in simple terms:
  • Request the login page, read the SID from the HTML payload so you're able to send it back yourself.
  • Submit the HTML form with username, password, and SID - just like the web browser would do it.
  • The response is most likely a redirect, but the cookie should already reflect you're signed in.
And, of course: based on the cookie's lifetime you don't have to log in everytime the program should create a post - your session still lives on. Creating a post is the same story: analyze the HTTP traffic and find out what's sent and received.
  • The worst thing about censorship is ███████████
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
User avatar
Registered User
Posts: 1817
Joined: Wed Aug 15, 2018 3:23 am

Re: Post with c# application

Post by EA117 »

That code against a current phpBB 3.2.6 or later board also needs updated to handle the form_token and creation_time fields which had been added to phpBB login processing since that code was written. One additional reason the current code will be getting SID 1 after the login attempt is because you're getting "form invalid" returned back to you in absence of those fields.

Like AmigoJack said, that too is an aspect of "doing what the web browser does." Although in this case we're saying there is data you must pull out of the actual login form which was provided to you, when you requested a copy of the login page without actually attempting to login yet. And then include those form_token and creation_time values in the data that you do actually POST, in addition to the username and password fields.

Essentially these fields are preventing you from "creating a login attempt out of the blue", and you must request a login form from the phpBB application before being able to then make a login attempt. The values in form_token and creation_time "prove" you received a login form from phpBB. If for any reason the phpBB board starts refusing to give you a login form, you'll be without sufficient data to even make a login attempt, as intended.

If you're looking at the HTML form that you get when simply viewing the login page, you'll note there is also a "sid" field that is part of the login form itself as well, in addition to the SID or _u cookie that is being discussed at the HTTP level. I don't think the "sid" value in the form is actually key to logging in, but there is no reason you can't simply repeat back the value of the "sid" field in the login form too, same as you'll be doing for "form_token" and "creation_time".
Post Reply

Return to “phpBB Custom Coding”