Reusing PHPBB's Authentication System

By on 2/22/2010

Question:

What's the easiest way to let a custom application re-use accounts from a PHPBB installation?

Answer:

The first thing that occurred to me was that I'd have to look over the PHPBB user tables, connect to mysql, and read the user's password (which I assume is hashed) to do the authentication. The second idea I had was to write a proxy service in PHP that I could call from my custom app.

Both of those options seemed like an awful pain in the butt. Then I had an epiphany, if you take a look at the ideals behind REST services, one could reason that PHPBB already exposes a REST service for logging in.

What if I simply used the already exposed HTML form as a sort of pseudo web service?

Making HTTP posts with C# is pretty easy, but I didn't want to try to remember what the syntax was for the API; So I did a quick search online and found a nice little class that makes it really easy: http://geekswithblogs.net/rakker/archive/2006/04/21/76044.aspx

With this class in hand, I used FireBug while logging in to the PHPBB and inspected the post variables. Easy, there were only four variables posted:
  • autologin=on
  • login=Login
  • username=[My Username]
  • password=[My Password]
I grabbed the URL it was posting to and added the variables (see the example below). Once I get the result back, a simple regular expression parses through the HTML and figures out if the login was successful or not. The result worked surprisingly well ... the method below takes a username, password, and url. The URL will look something like this: http://mywebsite.com/forum/ucp.php?mode=login&sid=9cd8b8da2649060b9d22d297f27a1dc7
private static bool Authenticate(string username, string password, string url)
{
    PostSubmitter post = new PostSubmitter();
    post.Url = url;

post.PostItems.Add("autologin", "on"); post.PostItems.Add("login", "Login"); post.PostItems.Add("username", username); post.PostItems.Add("password", password); post.Type = PostSubmitter.PostTypeEnum.Post; string result = post.Post();

string loggedinstring = string.Format("Logout \\[ {0} \\]", username); Regex r = new Regex(loggedinstring, RegexOptions.IgnoreCase); var match = r.Match(result);

return match.Success; }
Disclaimer: I've only tried this code with one instance of phpbb, not sure if it will work with other versions. The point of this was that we can trivially reuse existing user stores that are already exposed on the web via simple html forms.

See more in the archives