|
Single Signin / Login Integration Tip
by
12 May 2006
Hi people, first post here, hope its useful I've just installed vbulletin on a client site as they needed a forum/discussion facility and vbulletin provided good moderation facilities. They wanted existing users who were logged into the site not to have to log in again in order to use vbulletin. I noticed there wasnt much help for this on the forum and quite a few posts asking how it could be done. Since I have solved part of the problem I thought it might be useful to share it with you. Essentially the problem is to log in an existing user into vbulletin outside of the vbulletin environment so that when they access a vbulletin page it recognises them. This, as you might imagine involves the use of cookies. The way I have gone about it is to create an authentication handler in apache to be triggered when anyone tries to access a vbulletin page (i have vbulletin installed under /vb/) Since we are using mod_perl, the httpd.conf directive looks a bit like this... <Location /vb/> AuthType BLAHType AuthName BLAHName PerlAccessHandler BLAH->login_to_vb </Location> So.. when a user asks for a vb page, first it runs the login_to_vb method in module BLAH. (but you could probably make this a php page or something else) the login_to_vb script routine works as follows 1) it gets the currently signed in username and password (this will depend on the authorisation your website uses 2) it POSTs this information to /vb/login.php. In perl I do it like this... my $browser = LWP::UserAgent->new; my $response = $browser->post( $url, [ vb_login_username=>$user, vb_login_password=>$pass, do=>'login'); 3) It reads the cookies from the header recieved back and the places them into the outgoing headers.. my $header = $response->headers; my @cookies = $header->header('Set-Cookie'); foreach my $c (@cookies) { $r->headers_out->add('Set-Cookie',$c); } 4) Finally, it redirects the user to the page they were trying to access. my $redir_url = "http://".$r->hostname.$r->uri; my $pathinfo = join '&', ( map { "$_=$args->{$_}" } keys %{$args} ); $redir_url.= "?$pathinfo" if $pathinfo; $r->headers_out->add("Location" => $redir_url); $r->status(302); $r->send_http_header; Apache::exit; BUT.. there is a problem... vbulletin is clever, when you login, it registers your IP address against the session it creates for you. Next time you hit a vbulletin page it checks your IP against that session to make sure it is handing it back to the correct user. If you look at the file includes/class_core.php you will find a SQL query around line 2460 that looks mostly like this... if ($session = $db->query_first(" SELECT * FROM " . TABLE_PREFIX . "session WHERE sessionhash = '" . $db->escape_string($sessionhash) . "' AND lastactivity > " . (TIMENOW - $registry->options['cookietimeout']) . " AND ( ( host = '" . $this->registry->db->escape_string(SESSION_HOST) . "' AND idhash = '" . $this->registry->db->escape_string(SESSION_IDHASH) . "' ) OR host = '".$_SERVER['SERVER_ADDR']."' ) ")) { If you modify the query to what I have here, the server will happily let you log in if the session originally came from the server IP address, regardless of the IDHASH or HOST address. This reduces security a little bit so if you are very security conscious you might need to adjust this to suit you better. What else? Well, you don't really want the script to log you in EVERY time you access a vB page - bit excessive. So I set an extra cookie with a timestamp and only log in if a certain time has passed since it last logged you in. I set this interval just lower than the timeout set in vbulletin so that it logs you back in just before the vbulletin timeout kicks in. You can hard code this or pull it out of the vbulletin database settings. Obviously this just handles the login process.. You will need to find a way to keep the users details in sync. There are instructions for editing users details remotely on this site so I dont really need to cover that. One way though, would be to turn off user profile/password editing in the bulletin software and simply update the vbulletin user database from your existing application. To make updates to the vbulletin user database you need to create a php file (say /vb/updateVB.php within your vb directory that you can call upon to make changes to the user table. It would probably start something like this.. require_once('./global.php'); require_once('./includes/class_dm.php'); require_once('./includes/class_dm_user.php'); $userdm = new vB_DataManager_User($vbulletin, ERRTYPE_ARRAY); $userdm->set('username', qpc_post('username')); $userdm->set('password', qpc_post('password')); etc... Then from your application you can make GET requests to your script eg: /vb/updateVB.php?do=new_user&username=blah&password=blah Hope someone finds this of use. regards, Tom |