Hi,

I have seen a number of people mention that a few of their users are encountering the "Invalid Session" error when trying to post in the PHP-Nuke/phpBB forums.

There appears to be a lack of understanding regarding this bug, and I thought I would make this post to help out.

This bug occurs when the user cookie does not match the user's assigned "session" in phpBB (which can occur if the user's cookie "expires" during a session). It is a scheme that was implemented at phpBB in an attempt to prevent hackers from grabbing someone's forum "session" and taking the identity of that logged in user.

To further make this scheme secure, phpBB incorporated the user's IP address into the mix, so that the user's current IP address is used in the "screen to screen" validation process. Unfortunately, for some user's who's ISP uses dynamically assigned IP addresses this can pose a very serious problem.

One example is AOL. AOL assigns an IP address to a user which can change from one internet request to the next. In other words, an AOL user does not have the same IP address from the point of clicking on a post, to clicking on "reply" to clicking on "Submit." 3 different IPs in 3 different actions.

During "passive" actions (such as viewing a post) this is not critical and phpBB simply assigns a new session to the user. But in active actions (such as posting) phpBB is less tolerant and flags this as an "invalid session."


You will note that many admins who are experiencing this on their sites will state that it is only "a few" users having this problem. Chances are very high that their ISPs use this dynamic IP assignment scheme, and that if they have the user go to a web site which displays their IP address, that from one click to the next (or every couple of clicks within a few minutes) they will see that their IP address changes.


The only fix (sic) that I have found which completely addresses this problem is to disable (comment out) the validation checking in the phpBB source code. You can find these code segments (there are many of them across several modules) this by performing a text search for "Invalid_session".

Before you run out and do this, you should acknowledge to yourself that you are actively disabling some security code in your forum. I personally question the chance of someone hijacking an active user's session (which is what this security scheme is designed to prevent. To hijack a user's session would take some incredibly heroic efforts on the part of a hacker. But, regardless of "my opinion" before doing this you should investigate this further, and the place to do this is directly from the phpBB implementation team here:

http://www.phpbb.com/phpBB/viewtopic.php?t=69493
http://www.phpbb.com/kb/article.php?article_id=54


BTW, this problem is still occurring in PHP-Nuke 6.7 (which is where I have implemented my fix). It appears that all attempts to address this so far have involved changing the cookie expiration period (the current "fix" listed simply changes the field values from "0" to "3600" seconds). This will fix the problem if the user is experiencing cookie expiration. But it WILL NOT fix the problem for someone like an AOL user.


I hope that this helps to clear up some of the mystery surrounding the Invalid Session problem.

Ish

I have also posted this HERE at nukecops.com

ok i read it all and deleted all of the code and now it works great and i can post, im just wondering if it was a mistake and how hack-able my forum is right now? should i be worried?

it all kind of depends on your site. I mean if you are just running a little site, then you shouldnt be too concerned, but if you have a site that you expects 500+ members....someone may try something stupid

The AOL workaround was not included with any of the fix patches because it is a ISP specific problem and does not affect everyone, in all fairness anyone having this problem can solve it by changing lines 323 and 324 of includes/sessions.php from:

Code:

$ip_check_s = substr($userdata['session_ip'], 0, 6); $ip_check_u = substr($user_ip, 0, 6);

to:

Code:

$ip_check_s = substr($userdata['session_ip'], 0, 4); $ip_check_u = substr($user_ip, 0, 4);

Removing the session check is not something i'd suggest to anyone as their forums and/or site might be left open to attacks. Another reason why i didn't include this modification in the last patch is because it decreases the security by only checking a fraction of the ip address.

i tried changing that 6 to 4 , it didnt work for me and im not even on AOL
i had to delete that id check as my last choice but it works great now and my site is private and small so im not worried
thanks for your help

have u tried the session check patch

Quote:

What it does ============ I do not want to turn off Session check but few users has permanent problems posting. So I decided to exclude only them from the check. And to do that I have created this interface. I have used users.php script form admin to create the usersSessions.php were you will be able to find a user and change his status (turn On/Off the Session Check). Also I have added a small piece of code in the modules/Forums/posting.php file. If you are logged in as administrator then you will ALWAYS be checked for invalid session.