Passing authentificator using own login

Hi,

i know that this is the thousands thread about intergrating phorum in a selfmade site. I read mostly all others threads about that topic, but now im stuck at a point where even that doenst help me anymore.

After many frustrating hours and several coffees I finally made it to set the phorums session and cookie using the userid from my session. The embed-module by mkay was a big help until here.
But I still can't write messages or go to my profile in phorum, because of the authenticator (i think it is in user.php). I really dont know how to say phorum, after I loaded cookie and session and fed GLOBAL[PHORUM][user] and [LOGGEDIN] and [PHOURM_SESSION_LONGTERM] with the right values, that the user is really logged in and so it doesnt have to show the login-form and send the user directly to the desired page.

I could have used the embed-module but there are used to many functions i just dont need. I simply get a user_id from another session and log in the user with this id in phorum. The rest still should be handled by phorum itself.

Hope you can help,

luki

Okay, i just got the solution, even if im not quite sure if it is correct and clean. I also set [FULLY_LOGGEDIN] to 1 in my module. Now I can log in at my site and then surf and post in phorum. If im not logged in i've just reading permissions. That is exactly what i wanted, but i have a bad feeling about the way I choose.

Of course you should have used the embed module ;-) Even though you don't use many of its features, it's still the easiest way (IMO, but I am predudiced) to fit Phorum in a website. Providing a user_id to Phorum is one of the key features in fact.

You now have followed a different path to convince Phorum that the user is authenticated. Based on the description, it doesn't look like a really bad method. The difference between the embed module and your method is that the embed module tries to setup a minimal fake URI authentication where Phorum will setup the correct environment after that. So I don't have to tinker with the authentication related environment variables myself from the module. In the long run, that might be the safest way, because no adaption to new internal code is needed that way.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

// Setup (fake) URI authentication for Phorum to recognize the user.
$GLOBALS["PHORUM"]["args"][PHORUM_SESSION_LONG_TERM] = $sessid;

Is that the row where you fake the URI? Because I use that too, but its not enough to convince phorum that the usewr is logged in.

The reaon why I dont use your module, although it is great :) , is that still need some things controled by phorum. For example I have no need of the module feature where it puts phorum in an outputbuffer to place it between my other page. phorum still runs on an own subdomain and just have to know which user is logged in at the mainpage.

Security. Thats one point where im still not sure if my module is good. Well, I just get a user_id from a session, use that user_id to create/load a phorum session and cookie and fake a logged in user. Could that be wrong? I dont know that much about security and phorum to be sure that my method is secure.

Edit: What happens in your module when you deactivate cookies in your browser?



Edited 1 time(s). Last edit at 03/21/2007 05:41AM by luuuki.

Quote

Is that the row where you fake the URI? Because I use that too, but its not enough to convince phorum that the usewr is logged in.

Maybe you do it too late. I handle this from the common_pre hook, so the URI auth is set at a really early stage.

Quote

Edit: What happens in your module when you deactivate cookies in your browser?

Depends on the master application. Phorum does not care, since it gets the authentication handed over from the master. If the master handles authentication without cookies, then so does Phorum. The only thing is that without cookies, the embedding code will not be able to store the embedding session cookie. This will not affect the functionality of the module. It will only cause some code to be run less efficient.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Hmm, okay I used just common. Now I changed it to common_pre and took out [LOGGEDIN]=1 and [FULLY_LOGGEDIN=1]. But when I refresh the page now, im not logged in anymore.

I think I did the same you do in your module too. Any ideas?

If you do the same as in the embedding module, then it should work. So you apparently not doing the same here. Do you generate a cookie and store it with the user data? Do you setup Phorum to disable tight security and cookie auth? Basically check against the source of the embedding module if you really are doing the same.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

okay, i had a look and noticed that the only thing i dont have is setting the cookie though an image. i just set the cookie as normal and it works. do i have to set the cookie with an image to let the phorum set the [LOGGEDIN] values by itself?

The only reason for me to set the cookie through an image, is to make sure that there won't be problems if other parts of the software already printed info, in which case I cannot set a header anymore (the famous error about being able to send header data, because output started at ...). With this image hack, setting the cookie will work in all environments. If in your environment setting a cookie at that point is no problem, then do so. There's no difference in these two methods. A cookie is a cookie is a cookie.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Hmm, just as I thought. So this couldnt be the reason why my login doesnt work completely.

Cookies are set, Database written and $GLOBALS[PHORUM]["args"][PHORUM_SESSION_LONG_TERM] set to current session id (as in database). But phorum only shows me as logged in user, when I set LOGGEDIN and FULLY_LOGGEDIN to 1. What could I do else?

Edit: Sorry, my fault. Changed the name of the function to common_pre but not the hook (before the pipe). Nearly as worse as forgetting a semicolon (;). Shame on me. :(

Edit2: Hmm but now, when I click a link phorum always sends the sessionid with the link (sessionid is visible). I thought thats only when cookies are disabled?



Edited 2 time(s). Last edit at 03/21/2007 09:18AM by luuuki.