So I spent quite a bit of time pulling apart the authentication mechanism that phpbb3 uses. First... if you're going to do this... do it BEFORE you build your own authentication engne.

Not surprisingly, there isn't much documentation outside of code comments. However, basically it's not possible to just include files and have access to phpbb3 authentication. This is unfortunate... if they had build their auth system more modularly, it would've been a cinch.

At any rate, the way the auth system works is that when you log in, it creates a row in a table with a bunch of user and session information. In a default installation, the table name is phpbb_sessions. The authentication system then basically passes the sid around via GET, though it's smart enough out of the box to pull it out of a session variable. In fact, phpbb seems to take all global arrays and stick them together into one big array.

Once the sid is retrieved, it then pulls the session info out of the db table and verifies that the ip address and browser string are the same. This handles page-to-page validation. This leaves room for MITM attacks and session hijacking, but it's no easier than if you pass the username/password every page refresh.

I ended up having to write my own methods to validate the passed sid. I also made a slight mod to the session.php class to write the sid into $_SESSION. Passing a sid across pages on my site would have required way too much work. This allowed me to pick up the sid and validate and, if you went back to the forum, the forum was smart enough to pick up the session sid on its own, maintaining logged-in status.

Logging out is relatively simple... I just bastardized the session_kill method of the session class from session.php. This basically involves deleting the session from the sessions table and unsetting cookies that may exist. I also updated the last_visit field in the phpbb users table.

I still need to pull apart the login process so I can clone it. I'll probably post full code when I'm done and verify functionality more thoroughly.

Is it very different from phpbb 2.x? Or don't you have any experience with that?

I didn't really look too much into 2.x authentication, so I can't be positive. Looking at the table structure, it looks like the sid/session structure is probably the same. I don't know how 2.x code compares to the 3.x code, but I imagine it's probably fairly similar.