HTTP Auth using $_SERVER["PHP_AUTH_USER"] and PHP_AUTH_PW...

[Vig]

I put together a basic plugin to reuse HTTP Auth for vBulletin login. In our environment, the webserver has HTTP Auth to access it and PHP shares the username and password as $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

In the admin control panel, I created a new plugin named "HTTP Authentication" attached to the global_bootstrap_init_complete hook:

Code:

error_reporting(E_ALL & ~E_NOTICE);

// some basic requirements
require_once(DIR . '/includes/functions_login.php');

$newuser =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$newuser->set('username', $_SERVER["PHP_AUTH_USER"]);
$newuser->set('password', $_SERVER["PHP_AUTH_PW"]);
$newuser->set('email', $_SERVER["PHP_AUTH_USER"]);
$newuser->set('usergroupid', 2);
$newuser->set('timezoneoffset', -6);
$newuser->set('showblogcss', 1);
$newuser->pre_save();

$vbulletin->GPC['vb_login_username'] = $_SERVER["PHP_AUTH_USER"]; //$vbulletin->GPC['vb_login_username'];
$vbulletin->GPC['cookieuser'] = $_SERVER["PHP_AUTH_USER"]; //$vbulletin->GPC['vb_login_username'];
$vbulletin->GPC['cookieuser'] = 1;

// try to create the user in vBulletin; if it works save the dataset else just login
if (empty($newuser->errors))
{
    $newuser->set_info('coppauser', false);
    $vbulletin->userinfo['userid'] = $newuser->save();
}

verify_authentication($vbulletin->GPC['vb_login_username'], '','','',$vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);

Current problem:

When logged in with the above method, the CSS/display isn't quite right. The "Home", "Forum", "Blogs", etc is on the right and the search box on the left. When logged in with the admin account or not logged in at all, the search box is on the right and the "Home", "Forum", etc is on the left.

So somehow things are getting swapped right to left with the above code...

--------------- Added [DATE]1264656982[/DATE] at [TIME]1264656982[/TIME] ---------------

If I attach this plugin to the "global_complete" hook location the CSS is not affected so it looks like that was the issue.

--------------- Added [DATE]1264723923[/DATE] at [TIME]1264723923[/TIME] ---------------

Updated version: This version uses the same password for everyone. Sounds crazy right? Well HTTP Authentication has to work 100% on our site to ensure security. So nobody can login as anyone else unless they can do so also via HTTP Auth. So the plugin now sets the same password for everyone. The reason for this is that it can now handle the case where the HTTP Auth password changes.

The cleaner way would be to update the password in the vBulletin system when the login fails however I do not know how to do that yet.

Code:

rror_reporting(E_ALL & ~E_NOTICE);

// some basic requirements
require(DIR . '/includes/functions_login.php');

$newuser =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$newuser->set('username', $_SERVER['PHP_AUTH_USER']);
$newuser->set('password', 'SOME_STRING_HERE');  // http auth is 100% of security, to avoid password issues when passwords change...
$newuser->set('email', $_SERVER['PHP_AUTH_USER']);
$newuser->set('usergroupid', 2);
$newuser->set('timezoneoffset', -6);
$newuser->set('showblogcss', true);
$newuser->set('styleid', 1);
$newuser->pre_save();

$vbulletin->GPC['vb_login_username'] = $_SERVER['PHP_AUTH_USER'];
$vbulletin->GPC['cookieuser'] = $_SERVER['PHP_AUTH_USER'];
$vbulletin->GPC['cssprefs'] = '';

// try to create the user in vBulletin; if it works save the dataset else just login
if (empty($newuser->errors))
{
    $newuser->set_info('coppauser', false);
    $vbulletin->userinfo['userid'] = $newuser->save();
}

verify_authentication($vbulletin->GPC['vb_login_username'], '','','',$vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);

[Vig]

Version 0.3:

- if session expires, resets session and redirects to reload page

Code:

error_reporting(E_ALL & ~E_NOTICE);

// some basic requirements
require(DIR . '/includes/functions_login.php');

// check if already logged in
$logged_in = (empty($_COOKIE[COOKIE_PREFIX . 'lastvisit'])) ? false : true;

// clean up expired session *before* logging in again
if ($logged_in)
{
    $vbulletin->session->do_lastvisit_update($vbulletin->GPC[COOKIE_PREFIX . 'lastvisit'], $vbulletin->GPC[COOKIE_PREFIX . 'lastactivity']);
}

$newuser =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$newuser->set('username', $_SERVER['PHP_AUTH_USER']);
$newuser->set('password', 'SOME_STRING_MAKE_IT_UP');  // http auth is 100% of security, to avoid password issues when passwords change...
$newuser->set('email', $_SERVER['PHP_AUTH_USER']);
$newuser->set('usergroupid', 2);
$newuser->set('timezoneoffset', -6);
$newuser->set('showblogcss', true);
$newuser->set('styleid', 1);
$newuser->pre_save();

$vbulletin->GPC['vb_login_username'] = $_SERVER['PHP_AUTH_USER'];
$vbulletin->GPC['cookieuser'] = $_SERVER['PHP_AUTH_USER'];
$vbulletin->GPC['cssprefs'] = '';

// try to create the user in vBulletin; if it works save the dataset else just login
if (empty($newuser->errors))
{
    $newuser->set_info('coppauser', false);
    $vbulletin->userinfo['userid'] = $newuser->save();
}

verify_authentication($vbulletin->GPC['vb_login_username'], '','','',$vbulletin->GPC['cookieuser'], true);
exec_unstrike_user($vbulletin->GPC['vb_login_username']);
process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);

// redirect back so page reloads with logged in cookie-based session active
if (!$logged_in)
{
    header('Location: ' . $_SERVER['PHP_SELF']);
}

--------------- Added [DATE]1264810892[/DATE] at [TIME]1264810892[/TIME] ---------------

Version 0.4:

- Password issue appears to be a non-issue (further testing needed, in mean time, just use $_SERVER['PHP_AUTH_PW']).
- Handle case where session expires and next page load means the user is not logged in (but session cookies are set) and then refresh shows as logged in. Now there is a redirect in this case so user doesn't not see self as ever logged out.
- Handle case where user tries to access a session as someone other than who they are HTTP authenticated as.

Code:

error_reporting(E_ALL & ~E_NOTICE);

// some basic requirements
require(DIR . '/includes/functions_login.php');

if (!$vbulletin->session->vars['loggedin'])
{
    httpauth_login();
    redirect_self();
}
elseif ($userinfo = $vbulletin->session->fetch_userinfo())
{
    if ($userinfo['username'] !== $_SERVER['PHP_AUTH_USER'])
    {
        httpauth_login();
        process_logout();
        redirect_self();
    }
    else
    {
    }
}

function httpauth_login()
{
    global $vbulletin;

    $newuser =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
    $newuser->set('username', $_SERVER['PHP_AUTH_USER']);
    $newuser->set('password', $_SERVER['PHP_AUTH_PW']);
    $newuser->set('email', $_SERVER['PHP_AUTH_USER']);
    $newuser->set('usergroupid', 2);
    $newuser->set('timezoneoffset', -6);
    $newuser->set('showblogcss', true);
    $newuser->set('styleid', 1);
    $newuser->pre_save();

    $vbulletin->GPC['vb_login_username'] = $_SERVER['PHP_AUTH_USER'];
    $vbulletin->GPC['cookieuser'] = $_SERVER['PHP_AUTH_USER'];
    $vbulletin->GPC['cssprefs'] = '';

    // try to create the user in vBulletin; if it works save the dataset else just login
    if (empty($newuser->errors))
    {
        $newuser->set_info('coppauser', false);
        $vbulletin->userinfo['userid'] = $newuser->save();
    }

    verify_authentication($vbulletin->GPC['vb_login_username'], '','','',$vbulletin->GPC['cookieuser'], true);
    exec_unstrike_user($vbulletin->GPC['vb_login_username']);
    process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);
}

function redirect_self()
{
    // may need adjustment for non-Apache servers!
    header('Location: ' . $_SERVER['PHP_SELF']);
}

[PepiMK]

Version 0.4 is missing the require_once from version 0.1 - without that, some things will fail (just tested on saw with post preview and post promotion to article on vanilla 4.08 Suite).