IntegraMOD

[krillmeed]

Your phpBB Version: 2.0.
phpBB Type: Integramod 141
MODs: Yes
Your knowledge: Basic Knowledge
Board URL: http://www.krillmeed.com/forum/index.php

PHP Version:
MySQL Version:


What was done before the problem appeared?
Nothing


What was done to try to solve the problem?
Cookie mod installed



De.scription and Message

One of my members have asked this question, so i thought it would be better coming from her:

It finally came to my attention, that everytime my IP rolled over my address, I would not be logged on to the board anymore. I can set it to log me in automatically, but when my IP rolled over, I had to log in again when I returned and I would get the warning that my IP address was different and I might not be me.

LIGHT BULB!

I do not know how this affects those with AOL, but it would probably explain why Elorie and possibly others cannot stay logged onto the site. More frequent roll-overs would cause one to not stay logged onto the board... at least in theory.

What to do about it? I don't know, because 1. those with IPs who have very frequent roll-overs don't have control over this issue. 2. Only Krill and Omega can fix security settings and this might present a security problem if they messed with this particular feature.

However, this is only a theory due to experience and observation. My IP address rolls over at least once a week, my setting to stay logged on becomes defunct thus I have to log in again (no biggy since it doesn't happen too often to me) and then I get the warning that my addy has changed after I log in again.

Recommendation? For those who have headaches staying logged on, watch for this warning (it will be at the top of the board after logging in as a tip), and see if my theory pans out for any of you and then report back in this thread after you notice it X amount of times. After that, maybe Krill and Omega can work with the issue.

Also, if my correlation doesn't hold true for any of you having headaches, let us know, because then we will know my theory has no basis and the problem is something else. Thanks.

Elorie, hopefully we can solve your problem with staying logged onto the board as we test my theory. Hopefully, you are not my only guine pig.

I have installed the cookie mod a few times, as for the staying logged in, could this because of i have more than one Integramod forum on my domain? Or as she said, roving IPÂÂ ´s. I do not have this problem with phpbb2 forums i visit, just integramod. Its no biggy, I think Integramod is THE best around, but would be nice to be able to keep going on my sites without having to login again <img>

[gcomfx.com]

I have a few members complaining about not staying logged in. I only have one install.... I haven't found a fix yet.

[sanji]

I have noticed a similar problem when I have Webroot Antivirus / Web Browser / Tracking Cookies activated. If this option in my anti-virus is not selected, I can stay connected on my forum and IM, but if this option is selected, I get disconnected every time my IP is changed - which happens often...

sanji

[gcomfx.com]

I have noticed a similar problem when I have Webroot Antivirus / Web Browser / Tracking Cookies activated. If this option in my anti-virus is not selected, I can stay connected on my forum and IM, but if this option is selected, I get disconnected every time my IP is changed - which happens often...

sanji

I'll give this a test to confirm the results here. Can I ask what the consequences are?

[CaNNon]

I don't think that a forum should keep you logged in when that happens. If the ip has changed then you should have to re authenticate for security reasons.

Logging in again rematches the user and the cookie. Its simple and effective.

[gcomfx.com]

I agree, but for people that can't control it... AOL users for instance, plus a few people I know checking from their place of work. It's a PITA, and they can't even post.

[CaNNon]

few people I know checking from their place of work.

Thats not the same thing, they should only get a warning that the account ip has changed.

Could you check a few peeps, see if they are set to stay logged in on one pc and then trying to loggin from another?

[CaNNon]

I'm starting to notice this happening to me here. Could it be some mod or setting you have in common with this forum that I don't have on mine?
[tab]My ip changes every day and i do stay logged in on my site.

[gcomfx.com]

I don't have any mods. Just 1.4.1 installed with a few small bug fixes.

[gcomfx.com]

few people I know checking from their place of work.

Thats not the same thing, they should only get a warning that the account ip has changed.

Could you check a few peeps, see if they are set to stay logged in on one pc and then trying to loggin from another?

Don't think I wrote that clearly. I have two members that can not stay logged in at their place of work. At home they are fine. Their work IP is the same, but they are logging into two different accounts. There was a problem with ONE worker there, but now there are two members and two accounts. They work together and both continue to have the same issues. Weird.

[gcomfx.com]

Update on MY issue:

"Hey, I've figured out what's causing the problem. We have 2 completely separate ISPs here. The router right now just switches between the two to whichever one is not in use at the time. We have a cable ISP and a DSL ISP. Do you have an idea on how to make where it just uses one and only uses the other when the primary is non-functional? So it's not a problem on your end

[CaNNon]

errr... no short answer on that one. <img>

[gcomfx.com]

Yeah...

[CaNNon]

the router is where they work and not at your server then?

[gcomfx.com]

Yes. <img>

[krillmeed]

This does seem to be a AOL Problem, sorry i did not get back to this, but received no email replies for it. This dear lady has got back to me, and i am afraid the problem seems to have got worse. I attach to this post screen shots, of the problem. They have all been passed through my anti virus, and are safe, this does seem to be a AOL problem i think. Please Please Please help, since she is very important to our forum

[Helter]

it may be a browser issue also. I am having this problem latley on almost all of the sites I normally visit, including phpbb2, phpbb3 IntegraMOD and nuke forums. Since it is mostly happening in FF, it could be related to a recent FF update, but it is also occasionally happening in IE. I have deleted cookies and caches and reinstalled to no avail. I know what a pain it must be for her.

[krillmeed]

She has told me she has bypassed AOL now, and can at least log in. Will keep everyone posted if this solves the problem. Thanks Helterskelter for the quick response. I told her, if you do not have the solution for this, then what chance do us meer mortals have for solving it LOL

[meijin]

When it coes to AOL users, try this...it is straight from the phpBB folks:


# My AOL based users keep getting logged out!

phpBB2 uses sessions to keep track of users as they browse the board. These sessions use a combination of a unique session id and the users IP to identify each user. We make use of the IP as an extra safe-guard to help prevent sessions being hijacked (by discovering the unique session id).

Unfortunately this only works when the users IP is constant as they browse the board. For most users this will be the case. However certain providers route their users via a cluster of proxys. In some cases, particularly AOL this results in different IPs being forwarded as the user moves between pages. We take account of this by not checking the entire IP but only the first "three quads". Again in most cases this will be fine. However again AOL uses IPs which can vary so much that checking only the first two quads results in a fairly static IP being available for session validation.

If you are experiencing problems related to this you can make a small change to the code. Please note that reducing the IP validation length does potentially increase the risk of sessions being hijacked (this is something for you to consider, phpBB Group takes no responsibility should anything happen!). The change requires you to open the file sessions.php in the includes/ directory of the distribution. Find line 250, it contains the following

$ip_check_s = substr($userdata['session_ip'], 0, 6);

change this to:

$ip_check_s = substr($userdata['session_ip'], 0, 4);

You need to make exactly the same change to the number 6 in the next line. Save the file (and upload it if required). This should reduce or eliminate the problem noted.

[krillmeed]

Please note that reducing the IP validation length does potentially increase the risk of sessions being hijacked (this is something for you to consider, phpBB Group takes no responsibility should anything happen!).

What does this mean? If i carry this out it will be possible to hack my forum?

Thanks for the detailed answer by the way <img>

[meijin]

I'll let the more experienced folks speak more indepth on this, but I have been told that this does not add an unnecessary security risk in the overall scheme of things.

[Helter]

every forum is possible to hack, if the culprit is determined and smart enough. This fix just makes your forum a little more vulnerable to a specific type of hack.
Generally .script kiddies dont know what they are doing, they just read that whatever .script they downloaded will work on specific types of forums. If you have several users who need this fix, then you have to weight the benefits against the risk.
I think that in order for this fix to work, you might also have to adjust CTracker, because it also reviews ips.
This is also the type of fix that should remain a secret . The fewer the ppl who know about any drop in security the better.

[meijin]

Any ideas what would need to be done with CTTracker? I have held off on this, but have a TON of AOL users that are trying (unsuccessfully) to use my site.

Thanks!

[CaNNon]

Try it meijin, run it and have a AOL user test. Make sure you back up the file first,do the edit then set CT in debug mode and have the AOL user try everything.

lets say for comparing:

122.2.231.24 is the full ip.
122.2.23* is what they are matching to the sessions.
122.2* and is what they are suggesting for the new match to sessions.

Don't get me wrong helter is right you are lowering your protection but I think there is still enough geography in the handling that you be should ok. What you should also do though is protect/watch admin accounts in this case though.

[krillmeed]

As far as i know it is only one user. She can now stay logged in by bypassing AOL. So i think for securities sake i will leave it at least for the moment.
I would appreciate though meijin if you post any changes you have to make to CTTracker for future reference if you donÂÂÂ ´t mind.

[Helter]

i looked through the CT Login IP Feature and it looks like it will not ban. It will just warn of the changes. In not sure what affect it will have on your sessions table though