How to integrate website login with PHPBB3

  • (3 Pages)
  • +
  • 1
  • 2
  • 3

34 Replies - 6226 Views - Last Post: 11 September 2013 - 11:17 AM Rate Topic: -----

#1 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

How to integrate website login with PHPBB3

Posted 01 August 2013 - 07:24 PM

I'm creating a website and I would like to have it linked to my PHPBB3.0.11 login. I've looked this up but it seems every resource has a different method. I haven't been able to get it to work so I'm trying to figure out what I need to know to find the correct resource?

Basically I would just like to be able to register on the website OR the forums and then be able to seamlessly navigate between both systems with the same log in. As I said, what do I need to know to find out what method will work for me?

Is This A Good Question/Topic? 0
  • +

Replies To: How to integrate website login with PHPBB3

#2 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4316
  • View blog
  • Posts: 12,096
  • Joined: 18-April 07

Re: How to integrate website login with PHPBB3

Posted 01 August 2013 - 08:44 PM

Well I don't know how much has changed since the older versions of PHPBB, but you use to be able to simply create a new user in the PHPBB users table and give it the same username and password as assigned to the website. Then mimic all the functions really. When someone changes their username or password etc, just update both tables in the database. The beauty of this setup is that you could essentially update PHPBB without issue and without breaking your site.

I would assume you could still do something similar.
Was This Post Helpful? 0
  • +
  • -

#3 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 01 August 2013 - 08:51 PM

View PostMartyr2, on 01 August 2013 - 08:44 PM, said:

Well I don't know how much has changed since the older versions of PHPBB, but you use to be able to simply create a new user in the PHPBB users table and give it the same username and password as assigned to the website. Then mimic all the functions really. When someone changes their username or password etc, just update both tables in the database. The beauty of this setup is that you could essentially update PHPBB without issue and without breaking your site.

I would assume you could still do something similar.


I'm getting stuck with the hashing though. So when I type in "subaru" as my password it is stored as "fjdsalkrj32fsalkza" in the database. I need to encrypt/decrypt it (not sure if those are the right words but you get it). If I can do that it should just need to implement a session saving functionality and then tell the login to reference the phpbb-users table. Right?
Was This Post Helpful? 0
  • +
  • -

#4 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6039
  • View blog
  • Posts: 23,436
  • Joined: 23-August 08

Re: How to integrate website login with PHPBB3

Posted 02 August 2013 - 03:25 AM

If PHPBB3 is implemented properly you do NOT need to "encrypt/decrypt it". As you said, the value is HASHED, which is a one-way mechanism; it's not intended to be reversed. I'm guessing you need to know the hashing mechanism used by the PHPBB3 system and use the same mechanism to hash your password.
Was This Post Helpful? 0
  • +
  • -

#5 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 02 August 2013 - 07:55 PM

I'm still a little unsure of how to do this.

I found a resource for PH Pass here:
http://www.openwall.com/phpass/

and a tutorial here:
http://sunnyis.me/bl...cure-passwords/


When I put the password in it hashes it but says it's the wrong password (as it should because the database has a non-hashed PW). I notice each time I do it the hash is different. Any thoughts? I also noticed if I used the test.php included with the PasswordHash.php it changes the hash on each refresh. Am I missing something?
Was This Post Helpful? 0
  • +
  • -

#6 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6039
  • View blog
  • Posts: 23,436
  • Joined: 23-August 08

Re: How to integrate website login with PHPBB3

Posted 03 August 2013 - 02:59 AM

You can't mix and match hashing mechanisms. PHPBB3 is an open-source project, you can download their source code and use the code to replicate the hashing mechanism.

includes/auth/auth_db.php contains the login code, and includes/functions.php contains the hashing functions (which sadly use md5).
Was This Post Helpful? 0
  • +
  • -

#7 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 03 August 2013 - 06:30 AM

View PostJackOfAllTrades, on 03 August 2013 - 02:59 AM, said:

You can't mix and match hashing mechanisms. PHPBB3 is an open-source project, you can download their source code and use the code to replicate the hashing mechanism.

includes/auth/auth_db.php contains the login code, and includes/functions.php contains the hashing functions (which sadly use md5).



I saw a couple resources saying they no longer use MD5. I just created a new user and tried to put the hashed password ($H$9nYy4Lygl0vmNLusrtvYJRTriw9hTo/) in to an MD5 decrypter and it didn't work.
Was This Post Helpful? 0
  • +
  • -

#8 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 04 August 2013 - 03:54 PM

bump -- Anyone have any suggestions?
Was This Post Helpful? 0
  • +
  • -

#9 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 06 August 2013 - 05:51 PM

So it looks like in PHPBB3 it handles the same functionality here:

/**
*
* @version Version 0.1 / slightly modified for phpBB 3.0.x (using $H$ as hash type identifier)
*
* Portable PHP password hashing framework.
*
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
* the public domain.
*
* There's absolutely no warranty.
*
* The homepage URL for this framework is:
*
*	http://www.openwall.com/phpass/
*
* Please be sure to update the Version line if you edit this file in any way.
* It is suggested that you leave the main version number intact, but indicate
* your project name (after the slash) and add your own revision information.
*
* Please do not change the "private" password hashing method implemented in
* here, thereby making your hashes incompatible.  However, if you must, please
* change the hash type identifier (the "$P$") to something different.
*
* Obviously, since this code is in the public domain, the above are not
* requirements (there can be none), but merely suggestions.
*
*
* Hash the password
*/
function phpbb_hash($password)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

	$random_state = unique_id();
	$random = '';
	$count = 6;

	if (($fh = @fopen('/dev/urandom', 'rb')))
	{
		$random = fread($fh, $count);
		fclose($fh);
	}

	if (strlen($random) < $count)
	{
		$random = '';

		for ($i = 0; $i < $count; $i += 16)
		{
			$random_state = md5(unique_id() . $random_state);
			$random .= pack('H*', md5($random_state));
		}
		$random = substr($random, 0, $count);
	}

	$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);

	if (strlen($hash) == 34)
	{
		return $hash;
	}

	return md5($password);
}

/**
* Check for correct password
*
* @param string $password The password in plain text
* @param string $hash The stored password hash
*
* @return bool Returns true if the password is correct, false if not.
*/
function phpbb_check_hash($password, $hash)
{
	$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
	if (strlen($hash) == 34)
	{
		return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
	}

	return (md5($password) === $hash) ? true : false;
}

/**
* Generate salt for hash generation
*/
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
{
	if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
	{
		$iteration_count_log2 = 8;
	}

	$output = '$H$';
	$output .= $itoa64[min($iteration_count_log2 + ((PHP_VERSION >= 5) ? 5 : 3), 30)];
	$output .= _hash_encode64($input, 6, $itoa64);

	return $output;
}

/**
* Encode hash
*/
function _hash_encode64($input, $count, &$itoa64)
{
	$output = '';
	$i = 0;

	do
	{
		$value = ord($input[$i++]);
		$output .= $itoa64[$value & 0x3f];

		if ($i < $count)
		{
			$value |= ord($input[$i]) << 8;
		}

		$output .= $itoa64[($value >> 6) & 0x3f];

		if ($i++ >= $count)
		{
			break;
		}

		if ($i < $count)
		{
			$value |= ord($input[$i]) << 16;
		}

		$output .= $itoa64[($value >> 12) & 0x3f];

		if ($i++ >= $count)
		{
			break;
		}

		$output .= $itoa64[($value >> 18) & 0x3f];
	}
	while ($i < $count);

	return $output;
}

/**
* The crypt function/replacement
*/
function _hash_crypt_private($password, $setting, &$itoa64)
{
	$output = '*';

	// Check for correct hash
	if (substr($setting, 0, 3) != '$H$' && substr($setting, 0, 3) != '$P$')
	{
		return $output;
	}

	$count_log2 = strpos($itoa64, $setting[3]);

	if ($count_log2 < 7 || $count_log2 > 30)
	{
		return $output;
	}

	$count = 1 << $count_log2;
	$salt = substr($setting, 4, 8);

	if (strlen($salt) != 8)
	{
		return $output;
	}

	/**
	* We're kind of forced to use MD5 here since it's the only
	* cryptographic primitive available in all versions of PHP
	* currently in use.  To implement our own low-level crypto
	* in PHP would result in much worse performance and
	* consequently in lower iteration counts and hashes that are
	* quicker to crack (by non-PHP code).
	*/
	if (PHP_VERSION >= 5)
	{
		$hash = md5($salt . $password, true);
		do
		{
			$hash = md5($hash . $password, true);
		}
		while (--$count);
	}
	else
	{
		$hash = pack('H*', md5($salt . $password));
		do
		{
			$hash = pack('H*', md5($hash . $password));
		}
		while (--$count);
	}

	$output = substr($setting, 0, 12);
	$output .= _hash_encode64($hash, 16, $itoa64);

	return $output;
}

/**
* Hashes an email address to a big integer
*
* @param string $email		Email address
*
* @return string			Unsigned Big Integer
*/
function phpbb_email_hash($email)
{
	return sprintf('%u', crc32(strtolower($email))) . strlen($email);
}



I want to be able to have a log in form and then pass the credentials to the beginning of this (logically) and just let it take it through the rest of the process.

How feasible is this?
Can anyone point me in the right direction on beginning this task?
Was This Post Helpful? 0
  • +
  • -

#10 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3712
  • View blog
  • Posts: 5,964
  • Joined: 08-June 10

Re: How to integrate website login with PHPBB3

Posted 08 August 2013 - 05:14 AM

You don't really need to be worrying about the hashing method. You are kind of over-complicating the issue with that.

My suggestion would be to just use the PHPBB login form for all visitors. When they try to log into your main site, redirect them to the PHPBB login form. You can then modify that to redirect them back to the main site, if that is where they came from. (Look into the HTTP_REFERER header.)

Once they are logged into the PHPBB forum, a session will be created for that part of the site. If you share that session with your main site, then both can use the login credentials from PHPBB. You just need to look at how PHPBB sets up the session for logged in users, and use that same setup in your main site.

I don't know how your sites are set up, so I can't really say for sure how you can set the session up to be shared among them, but PHP sessions are by default set up to be shared by all code on the current domain, and it can be set up to be shared among all sub-domains as well. (Look at the session_set_cookie_params() function for details. The $domain parameter, secifically.)
Was This Post Helpful? 0
  • +
  • -

#11 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 789
  • View blog
  • Posts: 1,676
  • Joined: 30-January 09

Re: How to integrate website login with PHPBB3

Posted 08 August 2013 - 06:42 PM

If you're just looking at having a login/password form on a page that logs in via phpBB3, then HTML like this will work:
<form method="post" action="/phpBB3/ucp.php?mode=login>
	<label>Username</label>
	<input name="username" type="text" id="username" class="width120 textbox" tabindex="1" />
	<label>Password</label>
	<input name="password" type="password" id="password" class="width120 textbox" tabindex="2" />
</form>


Note the value for the action attribute on the form. If your phpBB3 installation is not in the directory /phpBB3, then you'll need to change that path.

If you want to access the phpBB $user object in your application, there's a few ways to do it. I tend to push the $user object into a singleton property, such as the code below (a very stripped back version of what I use). Note carefully the method Initialise():
abstract class User
{
	/** @var mixed The phpBB user object. */
	public static $PhpbbUser;

	/**
	 * Returns the user's ID.
	 *
	 * @static
	 * @return int The user's ID.
	 */
	public static function ID()
	{
		return (int)self::$PhpbbUser->data['user_id'];
	}

	/**
	 * Initialises the static user object.
	 *
	 * @static
	 */
	public static function Initialise()
	{
		// Load the user
        if(!isset(self::$PhpbbUser))
        {
            global $user;
            self::$PhpbbUser = $user;
        }
	}

	/**
	 * Checks whether the user is anonymous.
	 *
	 * @static
	 * @return bool
	 */
	public static function IsAnon()
	{
		// Is the user Anonymous in phpBB?
		return self::$PhpbbUser->data['user_id'] == ANONYMOUS;
	}

	/**
	 * Checks whether the user is a bot.
	 *
	 * @static
	 * @return mixed
	 */
    public static function IsBot()
    {
        // Is the user a Bot in phpBB?
        return self::$PhpbbUser->data['is_bot'];
    }

	/**
	 * Checks whether the user is registered.
	 *
	 * @static
	 * @return bool
	 */
    public static function IsRegistered()
    {
        // Is the user registered in phpBB?
        return self::$PhpbbUser->data['user_id'] != ANONYMOUS;
    }

}



When you load up a page, you'll need to bootstrap the User singleton like so:
$phpbb_root_path = /* enter your phpBB root path here */;
include $phpbb_root_path . 'common.php';
include $phpbb_root_path . 'includes/functions_user.' . $phpEx;
include /* enter the path to the User class file here */;

// Commence the phpBB3 user session
$user->session_begin();
$auth->acl($user->data);
$user->setup();
User::Initialise();



...after which you can put conditionals in your authenticated user PHP pages like so:
if(User::IsAnon)
{
	header('Location: /phpBB3/ucp.php?mode=register');
	die();
}


...which will redirect them to the registration page so that they can register for you authenticated content.

This post has been edited by e_i_pi: 08 August 2013 - 06:43 PM

Was This Post Helpful? 0
  • +
  • -

#12 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 11 August 2013 - 02:00 PM

That was very informative, thanks!

It looks like with this method it will have them go through the user login screen of PHPBB3. In some situations the web page will be associated with a forum where as in other situations they will just have a webpage. Using this method, will there be any functionality issues when they do not use a PHPBB3 forum?

This post has been edited by andrewsw: 11 August 2013 - 02:17 PM
Reason for edit:: Removed unnecessary quote of previous post

Was This Post Helpful? 0
  • +
  • -

#13 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 789
  • View blog
  • Posts: 1,676
  • Joined: 30-January 09

Re: How to integrate website login with PHPBB3

Posted 11 August 2013 - 04:44 PM

Well, the login screen automatically redirects to the index.php page of the forum. You'd have to track down where it does the redirect, then redirect to the appropriate page. Otherwise, I don't see why there would be an issue.
Was This Post Helpful? 0
  • +
  • -

#14 Logik22  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 163
  • Joined: 12-December 11

Re: How to integrate website login with PHPBB3

Posted 13 August 2013 - 12:36 PM

I tried to implement this but when I'm on my page and log in it will submit me to a blank PHPBB3 forum login screen. Any ideas?
Was This Post Helpful? 0
  • +
  • -

#15 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 789
  • View blog
  • Posts: 1,676
  • Joined: 30-January 09

Re: How to integrate website login with PHPBB3

Posted 13 August 2013 - 03:05 PM

Sorry, that initial HTML was a tad lacking, there was an unclosed quote and no submit button. Your html should look something like this:
<form method="post" action="/phpBB/ucp.php?mode=login">
    <label>Username</label>
    <input name="username" type="text" id="username" class="width120 textbox" tabindex="1" />
    <label>Password</label>
    <input name="password" type="password" id="password" class="width120 textbox" tabindex="2" />
    <input type="submit" value="Login" name="login">
</form>


So when you hit "Login" there, is that when it takes you to a blank page? If so, the path to ucp.php?mode=login may not be correct. You'll have to check the path to make sure it is directing to the correct file. What is the directory of your phpBB installation?
Was This Post Helpful? 0
  • +
  • -

  • (3 Pages)
  • +
  • 1
  • 2
  • 3