Home

Welcome to your wiki!

This is the default page, edit it as you see fit. To add a new page simply reference it within brackets, e.g.: [SamplePage].

The wiki uses Markdown syntax.

Project Admins:

• unity100

[unity100]

INSTALLATION

What these code modifications do, is to create a single sign on across different, multiple domains for both phpbb and other sites/codes/apps to use.

These modifications use phpbb user tables, sessions, everything.

What it does is to set cookies for each domain through using iframes, which load some connect.php file that is placed on the other remote domains which needs authentication from phpbb. This is how numerous sites like facebook do it. Currently there is no other way of legally setting cookies for different domains than the one that is active. You have to have a page that loads up all the cookie setting codes from remote domains.

However the loading up of authentication page, the remote authenticator pages in their iframes, and the redirection is VERY fast, taking only 1 seconds or 1.5 seconds. just like how you see in facebook etc - or any other site that uses this method.

All files contain extensive comments, and also include configuration variables to change.

All the files are separate from phpbb installation, they do not modify phpbb in any way.

The code may not be perfect, and various parts of it may not be best security practice. you may change these parts as you see fit.

How the code works :

remotebar.php is a file that checks sessions included in the remote app, and sends not only session info, but also a top bar to include in the remote application. this top bar includes a login/logout form which remembers states and keeps redirection info too. if you wish, you can drop all the code relating to the remote login form/bar, and just have the authentication code. however, remote login/logout form is convenient. having a remote bar is also convenient since it allows you to send over a bar/insert that will be included in all remote domains/apps, which can carry common messages, code, or advertising insert/codes or statistics codes.

you echo/include that bar in proper place in your template or app. the user then can use the login/logout form to send requests to authenticate.php , which does logins and logouts.

authenticate.php , when a request comes to it, first does the proper login/logout procedure for the phpbb installation it is located with. then, it requests connect.php, which sits in the requesting domain, to set the cookie for that domain. authenticate.php sends cookie info to connect.php through _POST. and uses an internal key to authenticate itself. authenticate.php posts this info to an iframe inside its page. it is possible
to do authentication for infinite domains, by copy/pasting and modifying the form code, iframe and javascript. just, only the final connect.php being loaded in the last domain should redirect the parent to the redirection url. if any domain does that, it will cause the others which were not loaded yet, fail in setting cookie.

connect.php checks auth key, and then gets cookie info and sets or deletes cookie with its own remote domain name (remotedomain1.com etc). then, from its iframe, it redirects the page authenticate.php was in, to whatever redirect value that was passed to the script.

as a result, the user's browser returns to wherever it was in just a second or two, and now logged in/out. seeing the proper state of application based on his/her login.

normally, all connections in between these files should be made over SSL , or curl.

Without further ado - installation :

You will need to turn off referer, browser etc checking in sessions.php. to do that either disable then all off in phpbb security settings, or, change the below line in sessions.php

if($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid)

to

if (($u_ip === $s_ip && $s_browser === $u_browser && $s_forwarded_for === $u_forwarded_for && $referer_valid) OR $config['api_request'])

and add a line

$config['api_request']=true;

to config.php . You can do it in other ways of course, this disables all forwarding, browser, ip and referer checking. depending on your setup.

Place the connect.php file in the root of the remote domain that you need to authenticate with phpbb. this code will set the cookie for that domain when authorization is done.

Place the authenticate.php in the phpbb folder. so if your forum is under forum/ in your domain, it should be there.

Place the remotebar.php in the same place like the above.

You need to place the code in appinsert.php by copy/pasting it or including it as a file, at a proper point in the remote site/application's common include. so, if application_top.php is included in every, say, oscommerce file, then this code insert needs to be there. placement is important since some apps may reset some variables at various points in the code. however, if you are using wordpress, dont use any code in appinsert.php . instead use the included wordpress plugin phpbb_auth_plugin.php .

Also, include the small javascript code that toggles the login form on/off, somewhere in the head section of the html of your remote site. that small script will make login form in the bar toggle on off.

since these code do not modify phpbb, and cannot be installed using any phpbb mod system, i am going to rightaway include them right here directly. To use the wordpress plugin phpbb_auth_plugin.php , just upload that file to your wordpress plugins folder, and then install&activate from wordpress.