Thread: Invalid Session - IMPORTANT INFORMATION
View Single Post
  #1 (permalink)  
Old 06-14-2003, 06:18 AM
Ishtaria Ishtaria is offline
Junior Member
  
Join Date: May 2003
Posts: 7
Invalid Session - IMPORTANT INFORMATION
Hi,

I have seen a number of people mention that a few of their users are encountering the "Invalid Session" error when trying to post in the PHP-Nuke/phpBB forums.

There appears to be a lack of understanding regarding this bug, and I thought I would make this post to help out.

This bug occurs when the user cookie does not match the user's assigned "session" in phpBB (which can occur if the user's cookie "expires" during a session). It is a scheme that was implemented at phpBB in an attempt to prevent hackers from grabbing someone's forum "session" and taking the identity of that logged in user.

To further make this scheme secure, phpBB incorporated the user's IP address into the mix, so that the user's current IP address is used in the "screen to screen" validation process. Unfortunately, for some user's who's ISP uses dynamically assigned IP addresses this can pose a very serious problem.

One example is AOL. AOL assigns an IP address to a user which can change from one internet request to the next. In other words, an AOL user does not have the same IP address from the point of clicking on a post, to clicking on "reply" to clicking on "Submit." 3 different IPs in 3 different actions.

During "passive" actions (such as viewing a post) this is not critical and phpBB simply assigns a new session to the user. But in active actions (such as posting) phpBB is less tolerant and flags this as an "invalid session."


You will note that many admins who are experiencing this on their sites will state that it is only "a few" users having this problem. Chances are very high that their ISPs use this dynamic IP assignment scheme, and that if they have the user go to a web site which displays their IP address, that from one click to the next (or every couple of clicks within a few minutes) they will see that their IP address changes.


The only fix (sic) that I have found which completely addresses this problem is to disable (comment out) the validation checking in the phpBB source code. You can find these code segments (there are many of them across several modules) this by performing a text search for "Invalid_session".

Before you run out and do this, you should acknowledge to yourself that you are actively disabling some security code in your forum. I personally question the chance of someone hijacking an active user's session (which is what this security scheme is designed to prevent. To hijack a user's session would take some incredibly heroic efforts on the part of a hacker. But, regardless of "my opinion" before doing this you should investigate this further, and the place to do this is directly from the phpBB implementation team here:

http://www.phpbb.com/phpBB/viewtopic.php?t=69493
http://www.phpbb.com/kb/article.php?article_id=54


BTW, this problem is still occurring in PHP-Nuke 6.7 (which is where I have implemented my fix). It appears that all attempts to address this so far have involved changing the cookie expiration period (the current "fix" listed simply changes the field values from "0" to "3600" seconds). This will fix the problem if the user is experiencing cookie expiration. But it WILL NOT fix the problem for someone like an AOL user.


I hope that this helps to clear up some of the mystery surrounding the Invalid Session problem.

Ish

I have also posted this HERE at nukecops.com
Reply With Quote