Topic: External login / cookie / authentication questions

We are working on integrating PunBB into one of our major sites.  We don't need to worry about account CRUD, this is already working.  The only piece we have not been able to complete is the login script to allow people that login on our main site to appear logged in on the punbb forums.

Forums are located in www.domain.com/forums/.  $forumUser['PunbbUser'] is a database row from the punbb_users db table.  $password is set above this block of code, but it is the value passed from the login form.

Here is our integration script:

$forum_user = $forumUser['PunbbUser'];  //  used to spoof punbb into thinking we are logged in

                if(!defined('FORUM_ROOT')) {
                    define('FORUM_ROOT', 'forums/');
                }
                
                require_once FORUM_ROOT.'config.php';
                require_once FORUM_ROOT.'include/functions.php';
                
                ($hook = get_hook('in_start')) ? eval($hook) : null;
                
                $userId    = $forumUser['PunbbUser']['id'];
                $salt      = $forumUser['PunbbUser']['salt'];
                $hash      = forum_hash($password, $salt);
                $saveLogin = 0;
                            
                $expire = ($saveLogin) ? time() + 1209600 : time() + $forum_config['o_timeout_visit'];
                
                forum_setcookie($cookie_name, base64_encode($userId.'|'.$hash.'|'.$expire.'|'.sha1($salt.$hash.forum_hash($expire, $salt))), $expire);

This actually generates a cookie.  I have compared all the vars going into forum_setcookie() and they are 100% the same as those used in /forums/login.php (ignoring the time difference of $expires).

Can someone please point out the detail that we are missing.  I would owe the owner of the correct answer a beer, for sure.

Thanks.

Re: External login / cookie / authentication questions

what the problem?

does the forum say something when you access it with a logged in user? ...

or does it just stays logged out, or do you get the erro: appeared a cookie has been set , ....

what you could do is create some sort of testscript,
run the current code, after the cookie has been set run the cookie_login() function and then print the forum_user array again and see what is in that array

from that point on we can continue debuggin smile

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Re: External login / cookie / authentication questions

what the problem?

If I login from the external script, I don't appear as logged in on the forums.

does the forum say something when you access it with a logged in user? ...

If I login with the external script, and then navigate to the forums, it shows me as logged out.

run the current code, after the cookie has been set run the cookie_login() function and then print the forum_user array

Doing this shows me as guest.

As far as I can tell, 100% of the data going into forum_setcookie() is the same in my script as in the forum/login.php.

What is csrf_token on the forums/login.php form?

Re: External login / cookie / authentication questions

What is csrf_token on the forums/login.php form?

thats a token to limit csrf attacks smile (http://en.wikipedia.org/wiki/Cross-site_request_forgery)

inside cookie_login add a print_r($forum_user) before the folowing lines (in your test script)

// If this a cookie for a logged in user and it shouldn't have already expired
        if (intval($cookie['user_id']) > 1 && intval($cookie['expiration_time']) > $now)
        {

and

// We now validate the cookie hash
                if ($cookie['expire_hash'] !== sha1($forum_user['salt'].$forum_user['password'].forum_hash(intval($cookie['expiration_time']), $forum_user['salt'])))
                        set_default_user();

and

// If we got back the default user, the login failed
                if ($forum_user['id'] == '1')
                {

and let me know from what point on your a guest user, this will help us narow down the problem.

Maikel

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

5 (edited by loki_racer 2009-01-13 14:55)

Re: External login / cookie / authentication questions

Only the one before

// If this a cookie for a logged in user and it shouldn't have already expired
    if (intval($cookie['user_id']) > 1 && intval($cookie['expiration_time']) > $now)
    {

prints anything.  The data is my user array from the database.

Latest updated code

                if(!defined('FORUM_ROOT')) {
                    define('FORUM_ROOT', 'forums/');
                }
                
                require_once FORUM_ROOT.'config.php';
                require_once FORUM_ROOT.'include/functions.php';
                require_once FORUM_ROOT.'include/dblayer/common_db.php';
                
                ($hook = get_hook('in_start')) ? eval($hook) : null;
                
                $userId    = $forum_user['id'];
                $salt      = $forum_user['salt'];
                $password= $_POST['password'];
                $hash      = forum_hash($password, $salt);
                $saveLogin = 0;
                
                $expire = time()+60*60*24*30;
                
                forum_setcookie($cookie_name, base64_encode($userId.'|'.$hash.'|'.$expire.'|'.sha1($salt.$hash.forum_hash($expire, $salt))), $expire);
                
                cookie_login($forum_user);

Re: External login / cookie / authentication questions

then do a printout off $cookie array and at the same time the time() value and a printout of $forum_user and give them smile

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Re: External login / cookie / authentication questions

$forum_user

Array
(
    [id] => 2
    [group_id] => 1
    [username] => {user_id}
    [password] => {password_here}
    [salt] => {salt_here}
    [email] => {email}
    [title] => 
    [realname] => 
    [url] => 
    [jabber] => 
    [icq] => 
    [msn] => 
    [aim] => 
    [yahoo] => 
    [location] => 
    [signature] => 
    [disp_topics] => 
    [disp_posts] => 
    [email_setting] => 1
    [notify_with_post] => 0
    [auto_notify] => 0
    [show_smilies] => 1
    [show_img] => 1
    [show_img_sig] => 1
    [show_avatars] => 1
    [show_sig] => 1
    [access_keys] => 0
    [timezone] => 0
    [dst] => 0
    [time_format] => 0
    [date_format] => 0
    [language] => English
    [style] => Oxygen
    [num_posts] => 1
    [last_post] => 1231794225
    [last_search] => 
    [last_email_sent] => 
    [registered] => 1231794225
    [registration_ip] => 127.0.0.1
    [last_visit] => 1231812874
    [admin_note] => 
    [activate_string] => 
    [activate_key] => 
)

$cookie

Array
(
    [user_id] => 1
    [password_hash] => Guest
    [expiration_time] => 0
    [expire_hash] => Guest
)

Re: External login / cookie / authentication questions

here is your problem smile

[expiration_time] => 0

you could check whats in $_COOKIE array?

~Cereal
I've finally learned what "upward compatible" means. It means we get to keep all our old mistakes.
The limits of language are the limits of one's world.

Re: External login / cookie / authentication questions

Array
(
    [forum_cookie_16bb58] => MnxkMmQxODQ0ZTZiOTE1ZWI0ZWZjNTk4ZjQ0OGE5YWJjYzY4MDU2ZWY4fDEyMzQ0NTEwNjZ8ZDY5NzZmNWFlZGQwOTVhYTUwZjg4YmM3MDNjYWExYWUxYTliZTllOQ==
    [CAKEPHP] => jkei6cr9b835tllrfvcj2go8s1
)