[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/bbcode.php on line 112: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4762: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3897)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4764: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3897)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4765: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3897)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4766: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3897)
ClanKiller.com - View topic - Integrating PHPbb3 authentication into a website
It is currently Thu Nov 21, 2024 7:19 pm



Reply to topic  [ 7 posts ] 
Integrating PHPbb3 authentication into a website 
Author Message
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Integrating PHPbb3 authentication into a website
So I spent quite a bit of time pulling apart the authentication mechanism that phpbb3 uses. First... if you're going to do this... do it BEFORE you build your own authentication engne. :?

Not surprisingly, there isn't much documentation outside of code comments. However, basically it's not possible to just include files and have access to phpbb3 authentication. This is unfortunate... if they had build their auth system more modularly, it would've been a cinch.

At any rate, the way the auth system works is that when you log in, it creates a row in a table with a bunch of user and session information. In a default installation, the table name is phpbb_sessions. The authentication system then basically passes the sid around via GET, though it's smart enough out of the box to pull it out of a session variable. In fact, phpbb seems to take all global arrays and stick them together into one big array.

Once the sid is retrieved, it then pulls the session info out of the db table and verifies that the ip address and browser string are the same. This handles page-to-page validation. This leaves room for MITM attacks and session hijacking, but it's no easier than if you pass the username/password every page refresh.

I ended up having to write my own methods to validate the passed sid. I also made a slight mod to the session.php class to write the sid into $_SESSION. Passing a sid across pages on my site would have required way too much work. This allowed me to pick up the sid and validate and, if you went back to the forum, the forum was smart enough to pick up the session sid on its own, maintaining logged-in status.

Logging out is relatively simple... I just bastardized the session_kill method of the session class from session.php. This basically involves deleting the session from the sessions table and unsetting cookies that may exist. I also updated the last_visit field in the phpbb users table.

I still need to pull apart the login process so I can clone it. I'll probably post full code when I'm done and verify functionality more thoroughly.

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Mon Feb 22, 2010 3:18 pm
Profile WWW
Minor Diety
User avatar

Joined: Tue Apr 01, 2003 10:23 am
Posts: 3956
Location: Amsterdam
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website
Is it very different from phpbb 2.x? Or don't you have any experience with that?

_________________
Melchett: As private parts to the gods are we: they play with us for their sport!


Mon Feb 22, 2010 3:25 pm
Profile
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website
I didn't really look too much into 2.x authentication, so I can't be positive. Looking at the table structure, it looks like the sid/session structure is probably the same. I don't know how 2.x code compares to the 3.x code, but I imagine it's probably fairly similar.

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Mon Feb 22, 2010 3:27 pm
Profile WWW
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Wed Feb 24, 2010 8:55 am
Profile WWW
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Wed Feb 24, 2010 9:12 am
Profile WWW
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Fri Feb 26, 2010 11:18 am
Profile WWW
Felix Rex
User avatar

Joined: Fri Mar 28, 2003 6:01 pm
Posts: 16662
Location: On a slope
Reply with quote
Post Re: Integrating PHPbb3 authentication into a website

_________________
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.


Mon Mar 15, 2010 12:19 pm
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 7 posts ] 

Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware.