Jump to content
Larry Ullman's Book Forums

Curl Request With Cookies To Fetch Json User Data From Phpbb3


Recommended Posts

Hey, everyone

 

I'm trying to bind together two systems. The first one is a membership system running on Laravel and the other is the forum solution phpBB3. (Similar to iPB, the forum solution here)

 

The membership system should do a cURL request against a simple script added to phpBB3. The script uses phpBB3s session solution to make sure a user is logged in. If that is true, information about the user will be returned. If that is false, anonymous user information is returned. The return source is JSON.

 

You may login to a test account here:

Username: example

Password: example

 

 

phpBB3-script: - http://forum.juvenorge.com/getLoggedInUserInfo.php

<?php

define('IN_PHPBB', true);

$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : $_SERVER['DOCUMENT_ROOT'] . '/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);

// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup();

// Build a new array to only retrieve needed data
$data = array(
	'user_id' => $user->data['user_id'],
	'username' => $user->data['username_clean']
);

echo json_encode($data);

The script will return the JSON string {"user_id":"1","username":"anonymous"} for you guys as standard. If you login using the attached User info, the output should be {"user_id":"1210","username":"example"}

 

Laravel Controller method: - http://medlem.juvenorge.com/innmelding

$ch = curl_init('http://forum.juvenorge.com/getLoggedInUserInfo.php');
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
	
$output = curl_exec($ch);
curl_close($ch);
 
return $output;

However, the Laravel controller returnes the anonymous user data instead of my own data, even when logged in. I think this may be due to some checks that phpBB3 implements for security reasons. phpBB3 saves cookies to the key "phpBB3_****" where the asterix represent a secure key. There are three cookies saved in total:

 

Cookies:

  1. [phpBB3_****_u] => X
  2. [phpBB3_****_k] => *************
  3. [phpBB3_****_sid] => *********************

What do I have to do to be able to perform the cURL request properly? Really hoping for some help here.

 

Thanks in advance. :)

Link to comment
Share on other sites

phpBB3 sets the $user object behind the scenes. The code is all over the place, so it's not easy to follow the logic. I don't need to post any data to make the original script work (As you can see be logging into the example account), but I would guess that's because of the cookies keeping the login active.

 

Due to that, I think I might need to attach a cookie. I'm not really sure how that is done, if there's sub-domain issues involved, where the cookie is located, etc.

Link to comment
Share on other sites

You can send cookies with cURL, but obviously, you'd need the right information to make it work.

 

What I don't understand is the fact that it seems like what you're trying to do is a pretty straightforward and common task. Does phpBB3 not provide an API/documentation explaining how to do this?

I'm thinking that a board dedicated to phpBB3 would serve you much better.

 

In other words, I think you're on the right track with your thinking, but unfortunately, I'm just as clueless about the details as you are.

Link to comment
Share on other sites

I'm inclined to agree with Jonathan here. This is not something I've done before, although I'm sure you can send cookies with cURL. 

 

I would also think that a phpBB3 forum would be more beneficial for you. I seem to recall using phpBB for something years ago and it had a Coppermine bridge so that phpBB and Coppermine could be used together. Or maybe it was Coppermine that had the bridge to phpBB. Or maybe I wasn't using phpBB... 

 

So as much as I'd love to help, you're already well ahead of what I know of the specifics here.

Link to comment
Share on other sites

Ok. I will check it out.

 

I've provided a workaround be using one of the cookies that stores the user id. Using that, I simply do a query against phpBB3 to get the needed information. While I know this is not secure by any stretch of the imagination, the information returned is harmless, and only includes username, birthday and email_address - all public information non-the-less. The solution will work until I figure out how to make the cURL request work.

 

EDIT:

I've almost managed to make this work. The first time I load the page after the cURL request, the correct data is returned. However, when I refresh once more, I receive the anonymous information again. In the mean time, I'm logged out of phpBB3 the next time I visit because the session validation then fails.

 

Some new code to check:

	private function phpBB()
	{
		$url = 'http://forum.juvenorge.com/getLoggedInUserInfo.php';
		$remote = 'REMOTE_ADDR: ' . $_SERVER["REMOTE_ADDR"];
		$agent  = 'HTTP_X_FORWARDED_FOR: ' . $_SERVER['HTTP_USER_AGENT'];
		
		$strCookie = $this->spoofCookie();
		
		$ch = curl_init($url);
		curl_setopt($ch, CURLOPT_POST, false );
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
		
		// User session info
		curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
		curl_setopt($ch, CURLOPT_HTTPHEADER, array($remote, $agent));
		
		curl_setopt($ch, CURLOPT_COOKIE, $strCookie );
		curl_setopt($ch, CURLOPT_COOKIEJAR, $strCookie );
		curl_setopt($ch, CURLOPT_COOKIEFILE, $strCookie );
		
    		$output = curl_exec($ch);
    	
    		curl_close($ch);
 
    		return $output;
	}
	
	private function spoofCookie()
	{
		$k = 'phpBB3_***_k';
		$u = 'phpBB3_***_u';
		$sid = 'phpBB3_***_sid';
		
		$ck = $k.'='.$_COOKIE[$k].'; ';
		$cu = $u.'='.$_COOKIE[$u].'; ';
		$csid = $sid.'='.$_COOKIE[$sid].'; ';
		
		return $ck . $cu . $csid . 'expires=Saturday, 20-Mar-2014 01:34:06 GMT; path=/; domain=.juvenorge.com';
	}

Some interesting discoveries. After checking phpBB3's admin panel, I've noticed some security option of interest. For a session to be deemed valid, it must pass the following checks:

  1. IP validation. It will match the whole IP address against the one saved in the DB Session table
  2. Browser validation: It will match information of the browser against the session.
  3. HTTP X_FORWARDED_FOR header validation: This must match for the session to continue

I'm not currently sure how all this is validated but I'm digging for answers. It seems like I'm almost able to get it to work. Very promising. :)

Link to comment
Share on other sites

 Share

×
×
  • Create New...