Use External Login

[rlarner]

I am trying to integrate vBulletin into existing website, replacing phpbb2. I'd have a requirement to use our existing login to authenticate users into vBulletin as well, but I'd prefer to do this creation lazily rather than have to go through all the existing users and create vBulletin accounts for them.

I've tried adding code to includes/init.php to check for an externally authenticated user. If it finds one I look up that userid in the vb_user table - if it's not there I create one. Once this process is complete I create a session for the user and set cookies.

The problem I'm having is that this session doesn't appear to be valid to the router code. It ends up creating a new session and treating the customer as a visitor.

First question is: am I on the right track?

Second question: what am I missing?

Thanks in advance for any assistance.

Rosco

[Disasterpiece]

The idea seems right. I'm not sure what the problem is with creating a script to copy your users into vbulletin since it would solve your problem, but either way, without more info and code snippets it's impossible to give directed answers.

[rlarner]

Thanks for the reply, Disasterpiece. Here's some more specifics on my approach. I added the following to vb/init.php immediately after the call to:

Code:

if ($customer_id && !$vbulletin->GPC[COOKIE_PREFIX . 'userid']) {

function fetch_my_salt($length = 30){
    $salt = '';
    for ($i = 0; $i < $length; $i++){
        $salt .= chr(rand(33, 126));
       }
    return mysql_real_escape_string($salt);
}

$userid = $customer_id;
$row_user = mysql_fetch_array(mysql_query("SELECT userid, salt FROM user WHERE userid = '$userid'"));
if (isset($row_user['userid'])) {
    $vb_salt = $row_user['salt'];
} else {
    $row_title = mysql_fetch_array(mysql_query("SELECT * FROM `usertitle` ORDER BY `usertitleid` ASC LIMIT 1"));
    $username = customer::get_avatarname($customer_id);
    $password = customer::get_password($cid);
    $vb_salt = fetch_my_salt();
    $password_salted = md5($password.$vb_salt);
    $passdate = date('Y-m-d');
    $usertitle = $row_title['title']; //get the default first title
    mysql_query("INSERT INTO user (
    userid,
    usergroupid,
    username,
    password,
    passworddate,
    email,
    showvbcode,
    showbirthday,
    usertitle,
    joindate,
    lastactivity,
    lastvisit,
    options,
    ipaddress,
    languageid,
    salt
    ) VALUES (
    '$userid',
    '2',
    '$username',
    '$password_salted',
    '$passdate',
    '$email',
    '1',
    '0',
    '$usertitle',
    '$timestamp',
    '$timestamp',
    '$timestamp',
    '3163223',
    '$ip',
    '1',
    '$vb_salt'
    )") or die(mysql_error());
    
    mysql_query("INSERT INTO `usertextfield` (`userid`) VALUES ('$userid')") or die(mysql_error());
    mysql_query("INSERT INTO `userfield` (`userid`) VALUES ('$userid')") or die(mysql_error());
    
}
$alt_ip = ip::get();
$timestamp = time();
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$idhash = md5($_SERVER['HTTP_USER_AGENT'].$alt_ip);
$sessionhash = md5(uniqid(microtime(), true));
//delete old sessions - a crude but useable method
mysql_query("DELETE FROM `session` WHERE `userid`='$userid' OR `host`='$ip'") or die(mysql_error());
//insert new session
mysql_query("INSERT IGNORE INTO `session` (`sessionhash`, `userid`, `host`, `idhash`, `lastactivity`, `location`, `useragent`, `styleid`, `languageid`, `loggedin`, `inforum`, `inthread`, `incalendar`, `badlocation`, `bypass`, `profileupdate`) 
VALUES ('$sessionhash', '$userid', '$alt_ip', '$idhash', '$timestamp', '/inside/forums/forum.php', '$user_agent', '0', '0', '1', '0', '0', '0', '0', '0', '0')") or die(mysql_error());
//add cookies to link user to session
setcookie('bb_lastvisit',$timestamp);
setcookie('bb_lastactivity',0);
setcookie('bb_sessionhash',$sessionhash);
setcookie('bb_userid',$userid);
$cookie_password_salted = md5(md5($password.$vb_salt).'C6KQEk3jNYBggzqFr0m4uVzFujo');
setcookie('bb_password',$cookie_password_salted); 
}

What happens now is on the first page load I get the message:

Quote:

Your submission could not be processed because you have logged in since the previous page was loaded.<br />
<br />
Please reload the window.

Even though I get this message, it does appear to log the customer in, however subsequent visits do not result in authenticated sessions - the user is treated like a guest.

So, it looks like my problems are two-fold:
1) How do I repress the "logged in since the previous page was loaded" message?

2) How do I properly populate the session table and cookie info on return visits?

Thanks again.

Rosco

[Disasterpiece]

OK, without going into greater details of your code, here are a few things which popped up while I was reading your snippet:

PHP Code:

if ($customer_id && !$vbulletin->GPC[COOKIE_PREFIX . 'userid']) { 


looks strange. Generally, you shouldn't trust user-data, cookies included. If you're looking for info if the user is logged in or not, try the $vbulletin->session var, it's more trustworthy, since I could modify my cookies without actually being logged in and vice-versa under certain circumstances.

PHP Code:

$row_user = mysql_fetch_array(mysql_query("SELECT userid, salt FROM user WHERE userid = '$userid'")); 


You should not assume, that each user-tables of your two different cms/forum systems have the same ID. Primary IDs, like userid is, increase with every entry.
To create a more flexible script, you should create an additional table which connects $customer_id to a vbulletin $userid so the connection between two user-entries is more accurate. how you determine if two users are equal can you decide like testing usernames and passwords / ips etc.

[rlarner]

What in the session var tells me if the user is logged in?

I'll consider adding a join table, but since my script _should_ be the only source of inserts to the vb_user table, and I'm setting the userid during the insert I don't think I'll have syncronization problems.

[Disasterpiece]

Quote:

Originally Posted by rlarner

What in the session var tells me if the user is logged in?

Check if userid is set in session var. For instance...

Quote:

Originally Posted by rlarner

I'll consider adding a join table, but since my script _should_ be the only source of inserts to the vb_user table, and I'm setting the userid during the insert I don't think I'll have syncronization problems.

Dependant if you can modify your table layout, you could add the according vb-userid to your user table. If you used a modified version of a wordpress for example, it wouldn't be so easy to modify the table structure of a retail-cms. That's where my thought came from

[rlarner]

Great, I'll switch to use the session userid instead. However, I'm still having problems making the session "stick". Where should this custom function live in the grand vBulletin scheme? Also, what are the key pieces of information I need to be setting in the session so that vBulletin will take it for one of it's own and not create a new session further along the page load?

[rlarner]

It appears there are better ways to accomplish this without getting my hands dirty in the vBulletin internals:

creating users lazily:
global $vbulletin;
require_once('./includes/init.php');
$newuser =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$newuser->set('userid', $userid_from_existing_site);
$newuser->set('username', $username_from_existing_site);
$newuser->set('email', $email_from_existing_site);
$newuser->set('password', $password_from_existing_site);
$newuser->set('usergroupid', 2);
$newuser->save();

then logging them into vBulletin, once you've already authenticated them in your existing site:
require_once('./includes/functions_login.php');
$vbulletin->userinfo = fetch_userinfo($cid);
$logintype = '';
$cookieuser = '1';
$cssprefs = '';
process_new_login($logintype, $cookieuser, $cssprefs);
set_authentication_cookies(true);