| Author |
Message |
Ishtaria
Nuke Soldier
Joined: Apr 22, 2003
Posts: 22
|
 Posted:
Sat Jun 14, 2003 2:04 am |
  |
Hi,
I have seen a number of people mention that a few of their users are encountering the "Invalid Session" error when trying to post in the PHP-Nuke/phpBB forums.
There appears to be a lack of understanding regarding this bug, and I thought I would make this post to help out.
This bug occurs when the user cookie does not match the user's assigned "session" in phpBB (which can occur if the user's cookie "expires" during a session). It is a scheme that was implemented at phpBB in an attempt to prevent hackers from grabbing someone's forum "session" and taking the identity of that logged in user.
To further make this scheme secure, phpBB incorporated the user's IP address into the mix, so that the user's current IP address is used in the "screen to screen" validation process. Unfortunately, for some user's who's ISP uses dynamically assigned IP addresses this can pose a very serious problem.
One example is AOL. AOL assigns an IP address to a user which can change from one internet request to the next. In other words, an AOL user does not have the same IP address from the point of clicking on a post, to clicking on "reply" to clicking on "Submit." 3 different IPs in 3 different actions.
During "passive" actions (such as viewing a post) this is not critical and phpBB simply assigns a new session to the user. But in active actions (such as posting) phpBB is less tolerant and flags this as an "invalid session."
You will note that many admins who are experiencing this on their sites will state that it is only "a few" users having this problem. Chances are very high that their ISPs use this dynamic IP assignment scheme, and that if they have the user go to a web site which displays their IP address, that from one click to the next (or every couple of clicks within a few minutes) they will see that their IP address changes.
The only fix (sic) that I have found which completely addresses this problem is to disable (comment out) the validation checking in the phpBB source code. You can find these code segments (there are many of them across several modules) this by performing a text search for "Invalid_session".
Before you run out and do this, you should acknowledge to yourself that you are actively disabling some security code in your forum. I personally question the chance of someone hijacking an active user's session (which is what this security scheme is designed to prevent. To hijack a user's session would take some incredibly heroic efforts on the part of a hacker. But, regardless of "my opinion" before doing this you should investigate this further, and the place to do this is directly from the phpBB implementation team here:
http://www.phpbb.com/phpBB/viewtopic.php?t=69493
http://www.phpbb.com/kb/article.php?article_id=54
BTW, this problem is still occurring in PHP-Nuke 6.7 (which is where I have implemented my fix). It appears that all attempts to address this so far have involved changing the cookie expiration period (the current "fix" listed simply changes the field values from "0" to "3600" seconds). This will fix the problem if the user is experiencing cookie expiration. But it WILL NOT fix the problem for someone like an AOL user who's IP address keeps shifting.
I hope that this helps to clear up some of the mystery surrounding the Invalid Session problem.
Ish |
|
|
   |
|
bist
Nuke Soldier
Joined: Mar 18, 2003
Posts: 25
|
| Posted:
Sat Jun 14, 2003 3:23 am |
|
Can you please tell me where I have to comment out these lines? |
|
|
|
|
Ishtaria
Nuke Soldier
Joined: Apr 22, 2003
Posts: 22
|
| Posted:
Sat Jun 14, 2003 8:26 am |
|
Here are a list of the modules where the test occurs:
posting.php
modcp.php
login.php
groupcp.php
Look for the text "Invalid_session" (use whatever text search facilities used in your text editor). Comment out the complete test like this:
| Code: |
// if ( $submit || $refresh )
// {
// if (!isset($HTTP_POST_VARS['sid']) || $HTTP_POST_VARS['sid'] != $userdata['session_id'])
// {
// // I've not added this to the language set at this time ... re-releasing
// // every single language to include this for the once in a blue moon
// // time it will be output is just not worthwhile at present.
// message_die(GENERAL_MESSAGE, 'Invalid_session');
// }
// } |
Hope that helps...
Ish |
|
|
|
|
Cyberclark
Elite Nuker
Joined: Nov 20, 2002
Posts: 237
|
| Posted:
Sat Jun 14, 2003 9:38 am |
|
This post looks like a better solutions to the problem. He has made it so you can choose which users don't have to go through the security process so that only those users who have problems will bypass the sessions issue! This will keep the security in force for the majority of your users while allowing those with problems unrestricted access! |
|
|
|
|
Ishtaria
Nuke Soldier
Joined: Apr 22, 2003
Posts: 22
|
| Posted:
Thu Jun 19, 2003 7:37 am |
|
Hi mFactor,
The problem is that they are relying on something that is not reliable, that the user's IP address is consistent.
They could have done the same "double bind" security model by substituting the IP address with a cookie, for example.
Sure, it's possible that someone could be polling the data lines with a packet sniffer, snag this information from someone's phpBB session, and then hijack their phpBB session. But, for Christ's sake!!! We're talking about a freaking BBS here, not a credit card transaction. 
If somebody has a BBS installed, and they are losing sleep over crap like that, they should secure the darn thing behind an SSL connection. 
Ish |
_________________
The hippocampus is NOT a place of higher learning for hippopotamuses. |
|
|
|
RastaMan
Nuke Soldier
Joined: Jun 09, 2003
Posts: 17
|
| Posted:
Thu Jun 19, 2003 5:06 pm |
|
Thanks.. This helps a lot, I have been getting these complaints... |
|
|
|
|
jimmyjimjim
Lieutenant
Joined: Jan 23, 2003
Posts: 258
Location: USA
|
| Posted:
Thu Jun 19, 2003 5:54 pm |
|
Will this also fix why a user disappears from the list of users online in the message forums? |
|
|
|
|
Ishtaria
Nuke Soldier
Joined: Apr 22, 2003
Posts: 22
|
| Posted:
Fri Jun 20, 2003 2:30 am |
|
Hi jimmyjimjim,
No, it would only address the "invalid session" error.
Ish |
_________________
The hippocampus is NOT a place of higher learning for hippopotamuses. |
|
|
|
bocciaqueen
Nuke Cadet
Joined: Jun 28, 2003
Posts: 3
|
| Posted:
Sat Jun 28, 2003 3:01 pm |
|
|
  |
|
kevin67
Nuke Cadet
Joined: Jun 26, 2003
Posts: 6
|
| Posted:
Thu Jul 03, 2003 4:01 am |
|
once the sessions part is commented out, does this stop some of the features on the board such as "View posts since last visit"? |
|
|
|
|
Evcz
Nuke Soldier
Joined: Jun 21, 2003
Posts: 26
Location: Italy
|
| Posted:
Fri Jul 04, 2003 7:16 am |
|
i think that with this "fix" you damage the security of your board... infact you disable the session control... |
_________________
The only way in order to discover
the limits of the possible
is that one to exceed them,
entering in the impossible world. |
|
|
|
Zummi
Nuke Cadet
Joined: Jul 06, 2003
Posts: 2
|
| Posted:
Sun Jul 06, 2003 7:36 am |
|
Double check your Forum's config and confirm that the cookie domain is set properly. When I got this error I changed the cookie domain and it solved it. |
|
|
|
|
bocciaqueen
Nuke Cadet
Joined: Jun 28, 2003
Posts: 3
|
| Posted:
Mon Jul 07, 2003 1:47 am |
|
PLEASE, Somebody help this bocciaqueen to rectify the problem, but in laymans terms.........  |
|
|
|
|
Alchera
Nuke Soldier
Joined: Jul 05, 2003
Posts: 23
Location: Australia
|
| Posted:
Mon Jul 07, 2003 4:58 am |
|
Hi bocciaqueen,
In simple terms... go to General Admin~Configuration and just set Cookie domain to exactly what you have for Domain Name i.e www.your.comain.com  |
_________________
"Live Outside The Square You Live In"
"Vivez hors du quartier où vous habitez" |
|
 |
|
bocciaqueen
Nuke Cadet
Joined: Jun 28, 2003
Posts: 3
|
| Posted:
Mon Jul 07, 2003 5:09 am |
|
Nuke cadet
Thank you for talking in English! I will try this but may need to contact you again if I get lost in the world of Nuke
Thanks |
|
|
|
|
|
|
