• Oberst
  • Junior Member
  • Offline
  • Registered: 2007-08-28
  • Posts: 5

Topic: Yet another integration issue - setting the cookie outside of punBB

Having spent the better part of the day trying various things from the forum here, thought I would finally break down and ask.  I have a members site which is using sessions.  What I am trying to do is during the checklogin.php, which checks the existing members DB and adds the session info for the rest of the site...also set the cookies for punBB.  End result is when the member is in the members section, they can just click a link to the forum and be already logged in.

Here is the code I have running, unsuccessfully, right now although it looks like it should work:

        //set forum cookies
        $cookie_name = 'punbb_cookie';
        $cookie_domain = '';
        $cookie_path = '/';
        $cookie_secure = 0;
        $cookie_seed = '######';
        $username = addslashes(trim($myusername));
       
        $resultforum = mysql_query("SELECT * FROM TABLE WHERE username LIKE '$username'");
        $rowforum = mysql_fetch_array($resultforum);
       
        $userid = $rowforum['id'];
        $passhash = $rowforum['password'];
       
        $expire = time() + 31536000;
        if (version_compare(PHP_VERSION, '5.2.0', '>=')) {
        setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$passhash))), $expire, $cookie_path, $cookie_domain, $cookie_secure, true);
        } else {
        setcookie($cookie_name, serialize(array($user_id, md5($cookie_seed.$passhash))), $expire, $cookie_path.'; HttpOnly', $cookie_domain, $cookie_secure);
        }


If anyone has any ideas or advice it would be appreciated.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Yet another integration issue - setting the cookie outside of punBB

Could you link to where you're actually trying this so we can see the output?

  • Oberst
  • Junior Member
  • Offline
  • Registered: 2007-08-28
  • Posts: 5

Re: Yet another integration issue - setting the cookie outside of punBB

Sure - the login for this is here: http://leaseperfect.com/login.php  and the forum is located: http://leaseperfect.com/members/forum

What happens is when someone registers, I have it also setting up the forum user behind the scenes which works fine.  Then when logging in, it set's the session info for the member and hopefully the cookies as well.

Here is a test login and password if that helps:

Username: testing
Password: testing

That works for both the members section and the forum...tested separately.

My end goal is once someone logins...they can just click on the 'LP Forums' link on the right and access the forums without logging in again.

  • Oberst
  • Junior Member
  • Offline
  • Registered: 2007-08-28
  • Posts: 5

Re: Yet another integration issue - setting the cookie outside of punBB

Upon some further testing, it appears as though the password hash or cookie may not be setting correctly.

Here is the cookie I set:

Array ( [PHPSESSID] => 55ebbb7f7b2f0fac58ec0b1307d787c3 [punbb_cookie] => a:2:{i:0;s:1:\"3\";i:1;s:32:\"b2284c227a6d556a0befb11610ab88cc\";} )

Then here is the cookie, same user/pass, that is set by punBB:

Array ( [PHPSESSID] => 55ebbb7f7b2f0fac58ec0b1307d787c3 [punbb_cookie] => a:2:{i:0;s:1:"3";i:1;s:32:"82383fe852b9a3bd2444e267ccb48e5f";} )

Minus the slashes....everything lines up except for the last line which I think is the password.

  • Smartys
  • Former PunBB Developer
  • Offline
  • Registered: 2004-04-30
  • Posts: 7,844

Re: Yet another integration issue - setting the cookie outside of punBB

Is $cookie_seed the same value as from config.php?

  • Oberst
  • Junior Member
  • Offline
  • Registered: 2007-08-28
  • Posts: 5

Re: Yet another integration issue - setting the cookie outside of punBB

yea, it is.  I was also playing with some different code which I grabbed from the actual login.php page, which I stripped out the things I didn't think were needed:

        $resultforum = mysql_query("SELECT * FROM lpforum_users WHERE username = '$myusername'");
        $rowforum = mysql_fetch_array($resultforum);
       
        define('PUN_ROOT', './members/forum/');
        include("./members/forum/config.php");
        include("./members/forum/include/common.php");
               
        $user_id=$rowforum['id'];
        $db_password_hash = $rowforum['password'];


        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $sha1_available = (function_exists('sha1') || function_exists('mhash')) ? true : false;

        $form_password_hash = pun_hash($form_password);    // This could result in either an SHA-1 or an MD5 hash (depends on $sha1_available)

        if ($sha1_in_db && $sha1_available && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if (!$sha1_in_db && $db_password_hash == md5($form_password))
        {
            $authorized = true;

            if ($sha1_available)    // There's an MD5 hash in the database, but SHA1 hashing is available, so we update the DB
                $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$user_id) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
        }


    //if (!$authorized)
        //message($lang_login['Wrong user/pass'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>');

    // Update the status if this is the first time the user logged in
    if ($group_id == PUN_UNVERIFIED)
        $db->query('UPDATE '.$db->prefix.'users SET group_id='.$pun_config['o_default_user_group'].' WHERE id='.$user_id) or error('Unable to update user status', __FILE__, __LINE__, $db->error());

    // Remove this users guest entry from the online list
    $db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());

    $expire = ($save_pass == '1') ? time() + 31536000 : 0;
    pun_setcookie($user_id, $form_password_hash, $expire);

It's from here that I am getting the above referenced results.  The cookie_seed is pulling right from the config so I would think it would be the same.  Curiously though, I wonder if the cookie is not transferring when I go into the forums as I do not see anything in the print_r ($_COOKIE) I have in there when I go there from the external page.  That info is:

$cookie_name = 'punbb_cookie';
$cookie_domain = '';
$cookie_path = '/';
$cookie_secure = 0;

  • Oberst
  • Junior Member
  • Offline
  • Registered: 2007-08-28
  • Posts: 5

Re: Yet another integration issue - setting the cookie outside of punBB

OK, this one can be marked as "SOLVED" . For anyone wondering, here's what I did.

When logging in, I have my checklogin.php file which checks the existing DB and if they are a member of the site it logs the session info for the members only areas.  Then, after that it logs the cookie info for the forum so from within the members section they just click on a link to the forums and they are already logged in there too.

Here's what I did....after my session logging, I added this from the punBB login.php:

//from punBB login.php - stripped down a bit       
    define('PUN_ROOT', './members/forum/');
    include("./members/forum/config.php");
    include("./members/forum/include/common.php");
           
    //from my login form
    $form_username = trim($_POST['myusername']);
    $form_password = trim($_POST['mypassword']);

    $username_sql = ($db_type == 'mysql' || $db_type == 'mysqli') ? 'username=\''.$db->escape($form_username).'\'' : 'LOWER(username)=LOWER(\''.$db->escape($form_username).'\')';

    $result = $db->query('SELECT id, group_id, password, save_pass FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
    list($user_id, $group_id, $db_password_hash, $save_pass) = $db->fetch_row($result);

    $authorized = false;

    if (!empty($db_password_hash))
    {
        $sha1_in_db = (strlen($db_password_hash) == 40) ? true : false;
        $sha1_available = (function_exists('sha1') || function_exists('mhash')) ? true : false;

        $form_password_hash = pun_hash($form_password);    // This could result in either an SHA-1 or an MD5 hash (depends on $sha1_available)

        if ($sha1_in_db && $sha1_available && $db_password_hash == $form_password_hash)
            $authorized = true;
        else if (!$sha1_in_db && $db_password_hash == md5($form_password))
        {
            $authorized = true;

            if ($sha1_available)    // There's an MD5 hash in the database, but SHA1 hashing is available, so we update the DB
                $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$user_id) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
        }
    }

    if (!$authorized)
        message($lang_login['Wrong user/pass'].' <a href="login.php?action=forget">'.$lang_login['Forgotten pass'].'</a>');

    // Update the status if this is the first time the user logged in
    if ($group_id == PUN_UNVERIFIED)
        $db->query('UPDATE '.$db->prefix.'users SET group_id='.$pun_config['o_default_user_group'].' WHERE id='.$user_id) or error('Unable to update user status', __FILE__, __LINE__, $db->error());

    // Remove this users guest entry from the online list
    $db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());

    $expire = ($save_pass == '1') ? time() + 31536000 : 0;
    pun_setcookie($user_id, $form_password_hash, $expire);


...and then after this just a header ("location:xxx.php"); to my members area. 

Smarty...thanks for the help...just "talking" it through helps sometimes.