[Tutorial] EZ Fast Login | (SSO Integration) | Force Login To MyBB
#11
SSL is the ideal solution and given I have a certificate I should probably use it too. I work for a fairly large software vendor and we do SSO in a similar way, we store the password outside of the application, however that generally involved LDAP or Shib.
Whilst those approaches are ideal, and to an extent setting up SAML with myBB would probably be an ideal solution, I think the aim needs to be at an everyday user, who doesnt have the knowledge or skill to do that. Storing passwords in two locations is never ideal especially given the various hash differences and we will need to add a reference table (jos_mybb_user_ref) for instance, that table can hold the primary keys and allow us to easily update various aspects without things getting lost, because we won't be referencing by username.

Anyway I will get the jos side finished first and then work on the myBB side. I am not a fan of the myBB query structure, so may use the generic mybb query calls but see how I go.

Dan
Reply
#12
Hi everybody
I have implemented website with ASP.NET MVC4 and WEB API
So
I want to integrate my login procedure to MYBB.

Scenario:
first User come to my website (ASP.NET) and create account
second he will be able login to MYBB forum throw created account on ASP.NET web site.

note: I created web service with asp.net mvc web api ,so I want that MYBB consume my api for authentication !

This is my university Project , please help me on this.
Reply
#13
(2012-10-24, 09:57 AM)totti_acmilan17 Wrote: Hi everybody
I have implemented website with ASP.NET MVC4 and WEB API
So
I want to integrate my login procedure to MYBB.

Scenario:
first User come to my website (ASP.NET) and create account
second he will be able login to MYBB forum throw created account on ASP.NET web site.

note: I created web service with asp.net mvc web api ,so I want that MYBB consume my api for authentication !

This is my university Project , please help me on this.

Hi,
I just saw this, been gone too long.
You need a secure way to tell MyBB that you are already logged into the other script (or vice versa)

#
Here maybe this example will help, to show the idea:
  • The main point (below) is you could load the Drupal core even after loading MyBB globals in the same script.
  • So SSO was truly easy: Verify one login and auto/force login to the other.

SSO into Drupal 5 from MyBB (probably doesn't work with Drupal 7)
<?php
define('IN_MYBB', 1);
require_once '../bb/global.php';
if($mybb->user['uid']) {
$username= $mybb->user['username'];
} else {  
    error_no_permission();
} 

//require the bootstrap include
require_once './includes/bootstrap.inc';
//Load Drupal
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
global $user;
$account  = user_load( array('name' => $username) ); 
 $account = user_external_login( $account ); 

header( "Location: http://example.com/drupal" ) ;
header ("Content-Length: 0");
     exit;
?>

Does anyone know how to update that for Drupal 7?
I tried and the "force login" had changed and didn't seem to work.


###
Edit:
This might work for Drupal 7:
Autologin using Drupal 7 = http://drupal.org/node/151515#comment-5754918
...
Not sure if Drupal 7 can still be include with MyBB like my example above, needs to be tested...
#
MyBB is the best forum software! Exclamation

Reply
#14
how to do it on php? SSO, logging in to the main website will automatically logged in as person visits the forum or vice versa.
Reply
#15
(2012-05-17, 03:10 PM)seeker Wrote: Most of this code is originally from MyBB 1.4, but does work in 1.6
  • You can use it to (force) login to MyBB as someone is logging into your other system/script/CMS, etc.
  • Works anywhere you are able to include ' mybb/global.php '

Please note: I'm not an expert on avoiding conflicts with your other script. I use this code with SSL and encrypted tokens, and those subjects are beyond the purpose of this tutorial.


// !! Use w/ caution this logs a user in without a password
// auth is already done above
// You now have the MyBB username currently stored in  $name

define('IN_MYBB', 1);
// Modify path here for your needs:
require_once './global.php';  

$query = $db->simple_select("users", "uid,username,password,salt,loginkey,email,usergroup", "username='$name'", array('limit' => 1));
$user = $db->fetch_array($query);
my_setcookie('loginattempts', 1);
 $db->delete_query("sessions", "ip='".$db->escape_string($session->ipaddress)."' AND sid != '".$session->sid."'");
 $newsession = array(
 "uid" => $user['uid'],
 );
 $db->update_query("sessions", $newsession, "sid='".$session->sid."'");
 
 $db->update_query("users", array("loginattempts" => 1), "uid='{$user['uid']}'");
 
 // Temporarily set the cookie remember option for the login cookies
 $mybb->user['remember'] = $user['remember'];
 
 my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], null, true);
 my_setcookie("sid", $session->sid, -1, true);
 
 $plugins->run_hooks("member_do_login_end");

// Modify below here for your needs:
      //  $user= $user['username'];
     header( "Location: enter_here.php?return=$return&status=hello" ) ; 
     header ("Content-Length: 0");
     exit;


#
Edit:
  • This (above) shows SSO Integration (Single-Sign-On), but doesn't cover integration (syncing) of both user tables in your database.
  • For basic use: You could have a small group of Admins/Editors who can log into your CMS (and this code gives them SSO into MyBB forum), while everyone else logs in normally to your forum.
  • For advanced applications: Anyone with a matching username in "YourCMS" can instantly login to your MyBB forums.


##
Feel free to ask questions, but sometimes my answer might be "it works figure it out". Toungue

can someone please confirm this still works and is safe for 1.8+?
Reply
#16
(2012-07-31, 06:56 AM)Dannymh Wrote: I find Jfusion sufferes from random logouts and other oddities. I will be also looking into making a wordpress dual login after this as well.

So I didn't have much of a chance to work on this today, but have been able to do the following (I will break this out to a new thread soon).

So I altered the queries for Joomla and this is my login functions

- Set Cookie function
function mybb_setcookie($name, $value="", $expires="", $httponly=false)
	{
		$db = JFactory::getDBO();

		$mybbcookiepath = $this->mybb_get_setting('cookiepath');
		$mybbcookiedomain = $this->mybb_get_setting('cookiedomain');
		$mybbcookieprefix = $this->mybb_get_setting('cookieprefix');

		//echo "cookie: ".$mybbcookiepath;
		//exit;

		if($expires == -1)
		{
			$expires = 0;
		}
		elseif($expires == "" || $expires == null)
		{
			$expires = TIME() + (60*60*24*365); // Make the cookie expire in a years time
		}
		else
		{
			$expires = TIME() + intval($expires);
		}

		$mybbcookiepath = str_replace(array("\n","\r"), "", $mybbcookiepath);
		$mybbcookiedomain = str_replace(array("\n","\r"), "", $mybbcookiedomain);
		$mybbcookieprefix = str_replace(array("\n","\r", " "), "", $mybbcookieprefix);

		// Versions of PHP prior to 5.2 do not support HttpOnly cookies and IE is buggy when specifying a blank domain so set the cookie manually
		$cookie = "Set-Cookie: {$mybbcookieprefix}{$name}=".urlencode($value);

		if($expires > 0)
		{
			$cookie .= "; expires=".@gmdate('D, d-M-Y H:i:s \\G\\M\\T', $expires);
		}

		if(!empty($mybbcookiepath))
		{
			$cookie .= "; path={$mybbcookiepath}";
		}

		if(!empty($mybbcookiedomain))
		{
			$cookie .= "; domain={$mybbcookiedomain}";
		}

		if($httponly == true)
		{
			$cookie .= "; HttpOnly";
		}
		
		$mybb->cookies[$name] = $value;

		header($cookie, false);
	}

login function
function mybb_log_me_in($name, $password)	{
		$db = JFactory::getDBO();
		// !! Use w/ caution this logs a user in without a password
		// auth is already done above
		// You now have the MyBB username currently stored in  $name

		$query = "select uid,username,password,salt,loginkey,email,usergroup from mybb_users where username='".$name."' limit 1";
		$db->setQuery($query);
		$user = $db->loadRow();

		
		if(md5(md5($user[3]).md5($password))== $user[2])	{
			// The password matches the password in the database so lets log them in
			$this->mybb_setcookie('loginattempts', 1, null);			
			
			$db->setQuery("Delete from mybb_sessions where ip='".$_SESSION['IPADDR']." AND sid !='".session_id()."'");
			$result = $db->query();
			
			$newsession = array(
				"uid" => $user['uid'],
			);
			
			$db->setQuery("Update mybb_sessions set uid=".$user[0]." where sid='".session_id()."'");
			$result = $db->query();
			if(!$result)	{
				echo $db->getErrorMsg()."<br/>";
				exit;
			}

			//$db->setQuery("Updaye mybb_users set uid=".$user['id']." where sid='".$session->sid."'");
			//$result = $db->query();
			//$db->update_query("users", array("loginattempts" => 1), "uid='{$user['uid']}'");

			//Skipped above 3 lines, this just increases the login attemps by 1, however given we are succesful in our Joomla login we shouldn't need this

			// Temporarily set the cookie remember option for the login cookies
			//$mybb->user['remember'] = $user['remember'];

			$this->mybb_setcookie("mybbuser", $user[0]."_".$user[4], null, true);
			$this->mybb_setcookie("sid", session_id(), -1, true);
		}
	}

- small function to grab myBB settings by name
function mybb_get_setting($setting)	{
		$db = JFactory::getDBO();
		$db->setQuery("select value from mybb_settings where name='".$setting."'", 'mybb_');
		$result = $db->loadResult();
		//echo "Query: select value from mybb_settings where name='".$setting."' result: ".$result[0]." <br>";
		if(!$result)	{
			echo $db->getErrorMsg()."<br/>";
		}
		return $result;
	}

As you can see I added a salt check, it really shouldn't be needed as if you are authenticated with Joomla you should be authenticated with mybb, however adding an extra security layer never really hurt anyone. (I forgot about Joomla not using named arrays in the loadRow() query eek.

Of course this all assumes the tables for myBB and Joomla are in the same database, and assumes that the table prefix for mybb is mybb_

None of this will work without calling the $this->mybb_log_me_in($credentials['username'], $credentials['password']);

Which I am doing inside the joomla.php auth script in the onAuthenticate area, you call it where the success messsage is and you should be good to go.

I need to write all of this into a proper user plugin for joomla with parameters for setting the table prefix and I need to fix the "remember me" stuff.

I will package it with a user function and a sync system if I get the chance that can be called on registration on Joomla side and also on changing passwords so that they are properly inserted on both sides, name change really shouldn't matter, if data is pushed from both tables it really is no big deal. I have already written this for my site and jFusion anyway.

After I am done with that I will write one for the myBB side so that the login system of myBB also logs you into Joomla and does all of the same actions as above. I believe that way for most people all bases will be covered for the user integration and login systems and we can break the need for jFusion.

After all that is complete I will adapt the scripts to wordpress and we should have a system that works for good user integration in both and we can expand them later to synch and manage profiles better.

Of course if the interest is not there I will keep them to myself Smile

I couldn't have really gotten to this point without your code above, so for that I thank you.

Dan

Oh additionally once I have completed all this work, it should be pretty simple for anyone to adapt this to other systems and CMS, in fact I should be able to help with that, once I go through the learning curve.

The hardest part is getting the right cookies set correctly and handling the password to make sure they are all correctly hashed. However that should be relatively simple information to find out I would imagine. My coding style is not too formal but it is effective enough.


""""" Of course if the interest is not there I will keep them to myself Smile

I couldn't have really gotten to this point without your code above, so for that I thank you.

Dan """""


Hi Dan,
I just rediscovered your efforts and am still interested.
"This type of stuff" is a personal favorite, but finding the time can be hard. I also thank you.
#
MyBB is the best forum software! Exclamation

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)