Single Signin via Key

[clykclyk]

Steps:
1.) create the script
2.) create the MySQL table
3.) OPTIONAL: create the cron job

...keep reading


First... create a script called signon.php and drop it in the forums/ sub directory where vBulletin is created and put the following code in it...

PHP Code:

<?php

/*###################################################################################
DATE: 10/29/2007
WRITTEN BY: clykclyk
PURPOSE: Single Sign-on solution for vBulletin.
###################################################################################*/

// file where $dbhost, $dbuser, $dbpass & $dbname MySQL variables are stored.
include("common.php");

//Check if there is a HASH passed in the URL.
if($_GET['hash'] && strlen($_GET['hash']) == 128){
  $gethash = $_GET['hash'];

  // Connect to the database
  mysql_connect($dbhost,$dbuser,$dbpass) or die(mysql_error());
  mysql_select_db($dbname);

  // SELECT values from vb_hash table for comparison
  $result = mysql_query("SELECT generatedid,expireson,userid FROM vb_hash WHERE generatedid='$gethash'") or die(mysql_error());
  $row = mysql_fetch_row($result);

  // We have what we need so DELETE the record from vb_hash so it can't be used again
  mysql_query("DELETE FROM vb_hash WHERE generatedid='$gethash'") or die(mysql_error());

  // Grab the user's values from the vb_user table for use in setting the session cookie prior to redirect
  $result1 = mysql_query("SELECT userid FROM vb_user WHERE email='".$row[2]."'") or die(mysql_error());
  $user = mysql_fetch_row($result1);

  // If HASH passed in URL matches the value from the vb_hash database then proceed.
  if($gethash == $row[0]){
        // Establish timestamps in friendlier format for comparison
        $timestamp = strtotime($row[1]);
        $now = strtotime('now');

        // Evaluate TTL
        if($timestamp > $now) {

                // Define values per vBulletin global scope
                define('THIS_SCRIPT', 'login');
                define('VB_AREA', 'Subscriptions');

                // Include required files from vBulletin so we can use the vbsetcookie() OR process_new_login() functions depending on preference.
                require("global.php");
                require("includes/functions_login.php");

                $vbulletin->userinfo['userid'] = $user[0];
                process_new_login('', true, '');
        }
  }
}

// now just redirect (in all cases)
exec_header_redirect($vbulletin->url);

?>

Second... create the MySQL db table called vBulletin.vb_hash like so...

CREATE TABLE `vb_hash` (
`generatedid` varchar(128) NOT NULL default '',
`expireson` timestamp NOT NULL default CURRENT_TIMESTAMP,
`userid` varchar(100) NOT NULL default '',
UNIQUE KEY `generatedid` (`generatedid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


third... We then had a cron job that would work behind the scenes every 2 minutes and delete any entries passed the expired time. For some folks this step can be considered over kill as the signon.php script will delete the entry in the database once it has been used but for us this step ensured that IF by some freak chance the embedded browser did not open after the database had been populated it would still kill the entry so that the URL cannot be captured and used later.

I don't have this script handy so I am not able to provide it but in short its just a bash script that executes a MySQL query to DELETE FROM vb_hash WHERE expireson > now();

OTHER INFO:
The URL string to pass to this is:
signon.php?hash=<128_character_string>

In our case the Java applet which provided the link to the user would upon clicking the link...
1.) populate the vb_hash table with the 128 character string, expire timestamp and userid of the logged in user
2.) send the User to the link via an embedded browser window.

We set our expireson timestamp to 1 minute which is far longer than needed to click a link and execute the result so the cron job ran at twice that time... this way even if the entry did live passed the execution of the signon.php script it would be removed promptly and not linger in the database.

NOTE: Consequently, because our Java application was initially handling the authentication it was also handling the registration so the registration in vBulletin was disabled and when the Java application registered a new user it would populate the vb_user, vb_userfield, and vb_usertextfield tables the same way vBulletin does natively.

SIDE NOTE: To test which tables are changed for yourself upon registration, do a directory listing with file sizes on the raw MySQL files as a control. Then register a user and do another directory listing...then just diff the 2 and see what changed. That gives you the tables that are modified. From there you can see what was entered for the user you just registered.

Happy New Year!

--------------- Added [DATE]1199242299[/DATE] at [TIME]1199242299[/TIME] ---------------

One more added note regarding the login...
There are 2 ways to make vBulletin recognize an authenticated user,

vbsetcookie() and process_new_login().

We opted to use process_new_login() because our embedded browser would not allow us to set cookies in this way but you can just as easily use vbsetcookie().

If you'd rather use vbsetcookie() then here is the code to replace in the previous code:

REPLACE:

PHP Code:

         // Set the session cookie values using the process_new_login() function
                $vbulletin->userinfo['userid'] = $user[0];
                process_new_login('', true, ''); 


WITH:

PHP Code:

         // Set the session cookie values using the vbsetcookie() function
          vbsetcookie('userid', $user[1], true, true, true);
          vbsetcookie('password', md5($user[0] . 'VBxxxxxx'), true, true, true);