Login from outside forum (Own authentication system and login page)

I am having trouble integrating Phorum with our existing authentication system. I have our user admin syncing the two systems. No problem there.

Where I am having an issue is when logging in via our login page.

On login I call the following function which, from reading amlost every thread here, I would think would work, but it is still not seeing me as a logged in user. I think I am missing something fairly fundamental. If I output the $PHORUM array after login, loggedin is set to 1. But after going into the Phorum "site", the $PHORUM array has a LOT more stuff in it and loggedin is not set. So it looks like it is getting overwritten with a new copy?

function login_phorum_user( $phorum_id )
	{
	$dir = realpath(dirname(__FILE__)) . "/../phorum";
	chdir( $dir ); 

	define("PHORUM", 1);

	global $PHORUM;
	//Phorum Includes
	include_once("include/db/config.php");
	include_once("include/db/mysql.php");
	include_once("include/api/base.php");
	include_once("include/api/user.php");
	setcookie( "phorum_tmp_cookie", "this will be destroyed once logged in", 0, "/phorum", $PHORUM["session_domain"] );
	phorum_api_user_set_active_user( PHORUM_FORUM_SESSION, $phorum_id );
	phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN);
	echo '<pre>' . print_r( $PHORUM ) . '</pre>';
	}

Any help on what I am missing would be appreciated.

Thanks

If I run the exact code from below against my 5.2 tree, I do get a $PHORUM array that has "LOGGEDIN" set. I tried user_id 1 here, which is my admin user. Code:

$dir = realpath(dirname(__FILE__)) . "/../";
chdir( $dir );

define("PHORUM", 1);
global $PHORUM;

include_once("./include/db/config.php");
include_once("./include/db/mysql.php");
include_once("./include/api/base.php");
include_once("./include/api/user.php");

phorum_api_user_set_active_user(PHORUM_FORUM_SESSION, 1);
phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN);

print_r( $PHORUM );

This largely resembles your code, so you are defenitely on the right track here. Please check the user record that is created in Phorum's users table in the database. Does the user_id match the user_id that you provide as the function argument? And is the "active" field for the user set to 1?

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Yep, userid's match (both 14 ) and active is set to 1 for that user in the phorum db. I checked ids to make sure nothing funny was happening in the call to the login_phorum_user() function. It is passing in 14, which is the correct Phorum id.

Experienced with PHP but this is my first phorum work so not real familiar with the internal workings and what could be causing the issues.

Any other ideas?

Once the login is finished, I do a header("location: XXX") call to send them to the page they came from. This is not necessarily a phorum page, but I can not imagine that would be an issue.



Edited 1 time(s). Last edit at 12/11/2007 05:25PM by graab.

Do you see LOGGEDIN in the $PHORUM data if you print_r() it in that login function? And what happens if you force the value to 1 (so the default admin user's id).

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Yep, here is that part of the print_r right after login is called.

[DATA] => Array ( [LOGGEDIN] => 1 [FULLY_LOGGEDIN] => [ADMINISTRATOR] => 1 [GET_VARS] => Array ( [phorum_session_v5] => phorum_session_v5=14%3Af6daefbb3de1b3939852c36ed0800457 ) [POST_VARS] => ) [user] => Array ( [user_id] => 14 [username] => graab [sessid_lt] => f6daefbb3de1b3939852c36ed0800457 [sessid_st] => [sessid_st_timeout] => 0 ...

I then click on my Phorum link and it now looks like this (lots more in the phorum array than there was at login time), but my loggedin is now set to nothing???

[DATA] => Array ( [GET_VARS] => Array ( ) [POST_VARS] => [TITLE] => Homeowner Forum [DESCRIPTION] => Welcome to the Homeowner Forum [HTML_TITLE] => Phorum [HEAD_TAGS] => [FORUM_ID] => 0 [NAME] => [ENABLE_PM] => 1 [LOGGEDIN] => [FULLY_LOGGEDIN] => [ADMINISTRATOR] => [gauge_image] => templates/emerald/images/gauge.gif [default_font] => Arial [base_font_size] => medium [font_xx_large] => 145% [font_x_large] => 125% [font_large] => 115% [font_small] => 85% [font_x_small] => 75% [font_xx_small] => 65% [max_width] => 800px [body_background_color] => White [default_font_color] => Black [default_background_color] =....

It seems to be re-creating the $PHORUM var and my login is gone.

Is the Phorum session cookie created and is it created for the correct host + path? The session create should setup the session.

Oh, I think I see your problem. It is probably indeed cookie related. You are not setting the $PHORUM['use_cookies'] variable. That variable determines what kind of session control is used by Phorum. Try adding the following line to your script:

$PHORUM['use_cookies'] = PHORUM_NO_COOKIES;

I added some extra comments to the user API source code for this.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

So would $PHORUM['use_cookies'] = PHORUM_NO_COOKIES; mean I am not using cookies? I thought that I was. I have it set up in the admin to use cookies with my domain set and the / as the root dir.

I am having no luck with this. Something in my setup is wrong. In my header template I manually set the user_id and loggedin in the $PHORUM['DATA'] array... still no luck.

My function currently looks like this, not that any of it is doing anything since this data is gone once I get into the Phorum area anyway and even if I hardcode it in there, still does not seem to be working. I always get the You must be a registered user to post in this phorum )

( I grabbed the user.php file from svn and read your comments to figure out where to put the use_cookies stuff )

function login_phorum_user( $phorum_id )
	{
	$dir = realpath(dirname(__FILE__)) . "/../phorum";
	chdir( $dir ); 

	define("PHORUM", 1);

	global $PHORUM;
	
	//Phorum Includes
	include_once("include/db/config.php");
	include_once("include/db/mysql.php");
	include_once("include/api/base.php");
	include_once("include/api/user.php");
	setcookie( "phorum_tmp_cookie", "this will be destroyed once logged in", 0, "/phorum", $PHORUM["session_domain"] );
	phorum_api_user_set_active_user( PHORUM_FORUM_SESSION, $phorum_id );
	$PHORUM['use_cookies'] = 0;
	phorum_api_user_session_create(PHORUM_FORUM_SESSION, PHORUM_SESSID_RESET_LOGIN);
	echo '<pre>' . print_r( $PHORUM ) . '</pre>';
	}

Thanks again for looking at this. Can you tell me what all needs to happen for a user to be Authenticated and able to post in Phorum?

Oh, that what happens when pasting something before running out of the house in a hurry. No cookies is not okay. You need cookies, because no cookies means that URI authentication is needed. And that is something that you cannot sustain from your main website. So the correct value whould be PHORUM_REQUIRE_COOKIES.

BTW: One other method of linking could be to let Phorum inherit a session on the fly. You can write a module that hooks into "user_session_restore" hook. A basic implementation of this hook for inheritance of a user session from your main system, would look somewhat like this:

function your_mod_function_for_user_session_restore($sessions)
{
    // do some magic code that coughs up the user_id to use in Phorum,
    // based on your main site's session system. So probably something
    // like looking up the cookie, finding your main user and then turning
    // that one into the Phorum user_id (possible the same id as your
    // main system's user_id if you implemented the synchronization of
    // the users like that).
    $user_id = some_magic_that_returns_the_user_id_to_use();
    
    // If no user is logged in. Let's asume that the magic code would return
    // NULL in that case here. Note that if it would return FALSE, you could even
    // skip the whole if/then here and directly assign $user_id to the $sessions
    // array elements.
    if ($user_id === NULL) {
        $sessions[PHORUM_SESSION_LONG_TERM] = FALSE;
        $sessions[PHORUM_SESSION_SHORT_TERM] = FALSE;
    }
    // A user is logged in.
    else {s
        $sessions[PHORUM_SESSION_LONG_TERM] = $user_id;
        $sessions[PHORUM_SESSION_SHORT_TERM] = $user_id;
    }

    return $sessions;
}

If you implement your link between the systems this way, then you do not have to actively login and logout the user for Phorum. Using this method, you can provide the active user_id on a per request basis. The use of real Phorum sessions is more appropriate if you are using Phorum to authenticate the user as well.

Hehe, I typed up some familiar code here. Here's an excerpt from the embed_phorum module, which needs the exact kind of functionality. It looks pretty familiar :-)

// Inherit authenticated user sessions from the master. The session data
// for the admin interface is untouched. At a later stage in development,
// we might inherit admin logins from the master as well. For now, I think
// it's more secure to keep that with its own login system, so I won't
// extend this unless there are really a lot of requests for it.
function phorum_mod_embed_user_session_restore($data)
{
    // We do not want to run this when we're in the admin or upgrade interface.
    if (defined('PHORUM_ADMIN') || defined('PHORUM5_CONVERSION')) return $data;

    global $PHORUM_CONNECTOR;

    // Retrieve the user id for the logged in user. If no user is logged
    // in, the connector can simply return NULL.
    $user_id = $PHORUM_CONNECTOR->get_user_id();

    if ($user_id != NULL) {
        settype($user_id, "int");
        $data[PHORUM_SESSION_LONG_TERM]  = $user_id;
        $data[PHORUM_SESSION_SHORT_TERM] = $user_id;
    } else {
        $data[PHORUM_SESSION_LONG_TERM]  = FALSE;
        $data[PHORUM_SESSION_SHORT_TERM] = FALSE;
    }

    return $data;
}

This module based linking method is the one that I had in mind when writing the user API code, so as a developer I think you should try to stick with this one. It will be the most real-time based linking and there's no worrying about keeping the Phorum session going. Of course, the other route that you are taking will work fine too, once the use_cookie value is correct. There's more than one way and it's up to you to decide what road fits you most.

Good luck!

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Forgot to come back in here. Went with the user_session_restore mod solution and it worked wonderfully. Thanks for all you help. Greatly appreciated.