I am using Single Sign-On module to integrate users of PhpBB forum with drupal users. I have installed PhpBB in root of my project. Also I've installed the Single-Sign-On module and configure it properly and it shows the success message after configuring the module.

But I can't login by my Drupal users into PhpBB yet

I tried PhpBB version 3.0.10 and PhpBB version 3.1.2 but any of them have been integrated to Dupal. I am wondering if I should use a specific version to solve my issue or I missing something else about installing this module.
does this moduleintegrate the authentication system of drupal and php or it need to be used with other modules like phpbbforum?

CommentFileSizeAuthor
#7 phpbb_3.1_plus_multiple_databases.patch20.18 KBAnonymous (not verified)
#4 phpbb_3.1_login_0.2.diff2.39 KBcagonza6
#3 phpbb_3.1_login.diff1.17 KBcagonza6
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

cagonza6’s picture

Before start, please read this: https://www.phpbb.com/community/viewtopic.php?f=71&t=2253811

I have the same issue than in the first post, so I decided to take a look to the code. Our problem is with a bridge, but the seed of the problem is the same: the hashing of the passwords.

1st part

The old phpBB uses a hash for a certain password with a different structure, as in the link from before:
Old system

Pass: banana
hash: $H$9b3gqsNKUF0E2hVNPL4sIjoj8sNOR0/

The length is 34.

2nd part
The new login algorithm of phpBB use something called CRYPT_BLOWFISH that can generate passwords with other structure, I'm just starting to dig in the problem, but that new "tool" (or whatever it is) give dynamic hashes that depend on the system where the script runs. In different moments gives different hashes:

New system

- 1st try-
Pass: banana
hash: $2a$08$gxRd8DguNMzY9RAaDsUylOM24LXxe9c.5X/YXvVNmGWJz4e16xer
- 2nd try-
Pass: banana
hash: $2a$08$Tmun2Jd29rMrEZT.QOeZZup4g.kp/EWlA.NGvLGOaoqQ5uUMnEdAC

The length is 60.

The reason
The difference is due to something called "portable_hashes" which make all the process more difficult to hack and, therefore, complicates the hashes.

The Solution
One option is to update the script used "phpass 0.1" to the version 0.3 and including the option to use "portable hashes" or include just that part in the actual code.

At least, that is what I understood after digging into the code and reading about the new hashing systems.

I'm working on that thing.

fizk’s picture

Title: Single-Sign-On Module Not integrating users of phpbb forum and my drupal users » Add support for phpBB 3.1
Version: 7.x-1.0-beta1 » 7.x-1.x-dev
Assigned: faren.de » Unassigned
Category: Support request » Feature request
Issue tags: -single sign on

@cagonza6 Thanks for your help, it looks like phpBB 3.1 changed the way they create and manage passwords. I'd be happy to review any patches you have.

@faren.de As of right now, phpbb_sso will not work with phpBB 3.1. I'd recommend using the latest phpBB 3.0.x.

cagonza6’s picture

FileSize
1.17 KB

I have to say that I'm not really a programmer, I just learn by myself.
Anyway, here it is. The changes are not really big, but I think I did break something.

cagonza6’s picture

FileSize
2.39 KB

I realized I have uploaded the wrong patch. The difference is a modification in a query in the method : _phpbb_sso_check_user ()
filename: phpbb_3.1_login_0.2.diff

fizk’s picture

Thanks. I took a look at this, and it seems the auth system allows for a lot more varieties of password hashes. We'll need to be compatible with all of them.

heshanlk’s picture

Status: Active » Needs work

If the server doesn't have mcrypt installed then it uses md5 (if it is available) and this module seems works fine out of the box with 3.1. You need to have cookie domain config same as the domain hosted your Drupal site.

Anonymous’s picture

I applied two patches (namely the one already attached to this issue and the support for different database than Drupal's current)

After fiddling about and probably having to repeat the same code too many times, I ended up with a working solution.

Currently, the support for different databases uses a helper function in phpbb_sso.module called phpbb_sso_db_set_active. This is similar to the one used in the phpbb_sso.admin.inc.
The current version accepts various values as parameters, which probably should just be a single array instead. See below for the helper.

/**
 * Sets the active database connection to the stored one or uses provided values
 * @param string $db
 * @param string $db_user
 * @param string $db_pass
 * @todo Pass the values as an array for easier usage?
 */
function phpbb_sso_db_set_active($db = '', $db_user = '', $db_pass = '', $db_prefix = '') {
    if (empty($db) && empty ($db_user) && empty($db_user)) {
        $db      = variable_get('phpbb_sso_phpbb_db', '');
        $db_user = variable_get('phpbb_sso_phpbb_db_user', '');
        $db_pass = variable_get('phpbb_sso_phpbb_db_pass', '');
        $db_prefix = variable_get('phpbb_sso_phpbb_table_prefix', '');
    }
    $connection_info = Database::getConnectionInfo('default');
    $connection_info['default']['database'] = $db;
    $connection_info['default']['username'] = $db_user;
    $connection_info['default']['password'] = $db_pass;
    $connection_info['default']['prefix'] = array('default' => $db_prefix);
    Database::addConnectionInfo($db, 'default', $connection_info['default']);
    db_set_active($db);
}

I found this has to be called after any module_load_includes but before any db_query calls that want to target the phpBB database. One solution would be to have the database details in Drupal's settings.php and have the db_query use the specific target instead.

All-in-all, the patch is still a very much work in progress but it works.

Tested with Drupal 7.36 and phpBB 3.1.3

Now we only need the accompanying extension for phpBB 3.1 to add support for using Drupal logins in phpBB and destroying Drupal sessions with the phpBB ones on logout.

Kapu’s picture

Hey,
I found this topic very helpful in integrating my Drupal site with phpbb 3.1. Session is created succesfully in database, but the cookie is not created. I checked values many times, it seems that all of them are ok. Also tried to use setcookie() function, but with no success. My forum is on forum.mydomain.com, while drupal site on mydomain.com. When I enter forum after logging into Drupal, I still have a cookie for anonymous user, even though my user is logged in.

Sequencing.com’s picture

We're experiencing the same issues with session persistence as Kapu. Any possible solutions?

  • fizk committed 0a8bfd7 on 7.x-1.x
    Issue #2393417: Add support for phpBB 3.1
    
fizk’s picture

Status: Needs work » Fixed

I've committed support for phpBB 3.1. It will work if your phpBB password uses the old MD5 hash or the new bcrypt hash, which is expect to cover most cases.

There are a bunch of odd hashes in phpBB 3.1 that I doubt anyone uses, so I haven't added support for them yet.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.