Recently, I was tasked with creating a single-sign-on solution for phpBB, where the user would login to our application, and when clicking a link to take them to a support forum, they’d already be logged in. phpBB isn’t known for having a great API with which to integrate, but the code works, and the product works. The authentication works on the premise of providing credentials, logging in, which creates a session in the phpBB database. A cookie value is set, which ties the user to the server-side session. When you have the 2 disparate systems, the domains might be different, but on the same top-level domain. This means if we could get the session ID and set a cookie on the next domain level up, we could be logged in.

The implementation is fairly simple, upon login, we use cURL or something similar and generate a POST request, using the username and password. The remote script grabs the session ID and user ID and returns the values to the originating server. We then, set the cookie values.

Now, the interesting bit. phpBB has multiple layers by which it validates the session. Since our remote server is originating the request, we don’t have the same IP as the user. Second, it uses the User-Agent string of the browser to validate the session. Using cURL, we don’t have a browser. Now, with cURL, you can set various settings (User-Agent string, X-Forwarded-For header, etc) – but if you’d rather not depend on that, you can simply un-check those settings in phpBB.

Of course, I’d recommend using the cURL settings, but to get you started and ensure the connectivity is working.

Leave a Reply