nesdev.com
http://forums.nesdev.com/

Forum keeps logging me out
http://forums.nesdev.com/viewtopic.php?f=13&t=10419
Page 1 of 2

Author:  thefox [ Mon Aug 26, 2013 6:27 am ]
Post subject:  Forum keeps logging me out

Not sure what has happened, or if it's just me, but the forum now keeps logging me out daily (or so) even though I have checked the "Log me on automatically each visit" checkbox when logging in.

Earlier on I (practically) never had to log in manually after ticking the checkbox.

Author:  tepples [ Mon Aug 26, 2013 7:12 am ]
Post subject:  Re: Forum keeps logging me out

Are you logging in and out on another device? On a lot of sites, if you click "log out", the site ends all active sessions associated with your user account.

Author:  koitsu [ Mon Aug 26, 2013 7:35 am ]
Post subject:  Re: Forum keeps logging me out

1. Tepple's theory is sound/legitimate,

2. Sometimes this is caused by caching problems with one's browser, where certain cached pages and/or saved cookie data stop working. I've seen this in Firefox and IE over the years, so I would not be surprised if Chrome had similar issues. Clear everything and see if things improve,

3. Sometimes this is caused by issues server-side pertaining to PHP sessions, which on the new server are dropped into /tmp. The "garbage collector" (gc) may also periodically pick them up/nuke them, although the rate at which it does is fairly low (less aggressive than Parodius):

Code:
session

Session Support => enabled
Registered save handlers => files user
Registered serializer handlers => php php_binary

Directive => Local Value => Master Value
session.auto_start => Off => Off
session.bug_compat_42 => On => On
session.bug_compat_warn => On => On
session.cache_expire => 180 => 180
session.cache_limiter => nocache => nocache
session.cookie_domain => no value => no value
session.cookie_httponly => Off => Off
session.cookie_lifetime => 0 => 0
session.cookie_path => / => /
session.cookie_secure => Off => Off
session.entropy_file => no value => no value
session.entropy_length => 0 => 0
session.gc_divisor => 1000 => 1000
session.gc_maxlifetime => 1440 => 1440
session.gc_probability => 1 => 1
session.hash_bits_per_character => 5 => 5
session.hash_function => 0 => 0
session.name => PHPSESSID => PHPSESSID
session.referer_check => no value => no value
session.save_handler => files => files
session.save_path => /tmp => /tmp
session.serialize_handler => php => php
session.use_cookies => On => On
session.use_only_cookies => On => On
session.use_trans_sid => 0 => 0

Note to anyone looking at those and wanting to make some remark: say nothing until you go look at and fully read the PHP documentation for the settings in question.

4. This topic has come up more than once over the years. In most cases it has turned out to be certain user behaviour or oddities like those I've mentioned above,

5. Troubleshooting this is surprisingly difficult,

6. I haven't seen this problem even once, in all the years I've been using the site -- except for one situation: during the server migration/move, and that was easily explained (the FQDN associated with the site (thus cookie) changed, thus understandably confusing the hell out of browsers). However I only access the forum from one place (my home PC).

Author:  thefox [ Mon Aug 26, 2013 12:12 pm ]
Post subject:  Re: Forum keeps logging me out

tepples wrote:
Are you logging in and out on another device? On a lot of sites, if you click "log out", the site ends all active sessions associated with your user account.

Nope. And moreover, on phpBB that doesn't seem to be the case. And this has happened for several days, on many of which I've definitely not logged in from multiple devices.

koitsu wrote:
2. Sometimes this is caused by caching problems with one's browser, where certain cached pages and/or saved cookie data stop working. I've seen this in Firefox and IE over the years, so I would not be surprised if Chrome had similar issues. Clear everything and see if things improve,

Clearing all cookies from *nesdev.com domain(s) was the first thing I tried when this occurred. No luck.

I guess it might be caused by an update of Chrome. Or something. Anyway, it's not a huge deal. I just thought I'd post in case somebody else was seeing the same problem.

Author:  James [ Fri Aug 30, 2013 12:47 pm ]
Post subject:  Re: Forum keeps logging me out

This is happening to me too. It first started a few days ago (I think the same day that thefox reported it), on both my PC and iPhone. Since then, it's happened a couple of times on my PC, but my iPhone has stayed logged on.

I'm using Safari on my iPhone, iOS 6.1.4, and Chrome 29.0.1547.62 m on my PC.

Author:  thefox [ Sat Aug 31, 2013 1:22 am ]
Post subject:  Re: Forum keeps logging me out

Funny thing. It logged me out again (= displayed the username/password/login fields), but in the "Who is online" block it still displayed: Registered users: bazz, Bing [Bot], Google [Bot], thefox

Author:  thefox [ Sat Aug 31, 2013 11:57 pm ]
Post subject:  Re: Forum keeps logging me out

And some more debugging info. Today, I took a look at the cookies before opening this site:
Code:
Name:   phpbb3_6cazq_k
Content:   cde33d44[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM

Name:   phpbb3_6cazq_sid
Content:   ef32d8ce907e904b[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM

Name:   phpbb3_6cazq_u
Content:   80
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Saturday, August 31, 2013 11:10:50 PM
Expires:   Sunday, August 31, 2014 11:10:50 PM


And after browsing to this site:
Code:
Name:   phpbb3_6cazq_k
Content:   
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM

Name:   phpbb3_6cazq_sid
Content:   8468da1b880cb071[censored]
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM

Name:   phpbb3_6cazq_u
Content:   1
Domain:   .forums.nesdev.com
Path:   /
Send for:   Any kind of connection
Accessible to script:   No (HttpOnly)
Created:   Sunday, September 1, 2013 8:43:26 AM
Expires:   Monday, September 1, 2014 8:43:26 AM


As you can see, phpbb3_6cazq_k got cleared, phpbb3_6cazq_u got reset to a different value, and the session ID also was reset. This makes me think that the server had already purged the session before I opened the site today.

What's strange though is the "Who is online" list. Maybe it's managed separately from the sessions...

Author:  infiniteneslives [ Sun Sep 01, 2013 10:07 am ]
Post subject:  Re: Forum keeps logging me out

For what it's worth I've been getting logged out frequently as well. I do login from 3-5 different PCs/devices on a given day, but usually I only have to login again ~once a month or so I'd say.

Author:  tokumaru [ Sun Sep 01, 2013 5:34 pm ]
Post subject:  Re: Forum keeps logging me out

Just for the record, I'm not experiencing this problem even though I access the forums from a many different computers/networks. In only one of them I chose to remain logged in, which works just fine.

Author:  koitsu [ Tue Sep 03, 2013 2:39 am ]
Post subject:  Re: Forum keeps logging me out

I'm sorry I can't help a lot with this issue (it'd be easier if I was experiencing it myself), but if it's believed to be a phpBB (forum software) bug, we use 3.0.10 right now and 3.0.11 is the latest. Here's the changelog:

https://www.phpbb.com/support/documents ... on=3#v3010

I did see issues relating to "stuck PMs" fixed in 3.0.11 (some folks here may remember that issue -- unrelated to what we're talking about, but I just happened to notice it while skimming).

3.0.12 is not out yet, but here are the changes proposed so far:

https://www.phpbb.com/support/documents ... on=3#v3011

If the issue is believed to be with PHP, the PHP version used is 5.3.15. The latest is 5.5.3, and if there was a place that was most likely responsible for this, it'd be in the sessions module or (remote possibility) the core.

http://www.php.net/ChangeLog-5.php

My gut feeling is that it's some kind of phpBB "thing", since server-side I don't really see anything that indicates an issue, but it's hard for me to diagnose this (as said, can't really help with that). I did find this:

https://www.phpbb.com/community/docs/FA ... out_issues

What's described here is vague/weird -- the settings are actually under the General tab, under Server Configuration / Load Settings. I've attached two screenshots (01.jpg and 02.jpg) showing what we have these set to. I've also included a screenshot of the Cookie Settings section since some of what thefox mentioned above is referenced there.

Keep in mind two things when looking at these screenshots (but please keep reading):

1) The session timeout value shown is just an indicator of how long you can be actively logged in before the board will automatically log you out. If you are a person who leave a tab open at all times here at the forum, then yes, my understanding is that you will be getting logged out after 3600 seconds of not interacting with the site anywhere; this is by design. Increasing this number might sound like a reasonable thing to do, but then again it may not be a wise thing to do. For example if someone is leaving the browser window/tab to the site open for an entire day, then the number would have to be increased to 60*60*24 = 86400 seconds or thereabouts. I would much rather people just close the damn tab/window when they're done. (I actually generally do not have to re-log-in very often on my setup, it's quite rare, but I also do not use tabs and I do not leave browser windows open indefinitely; I always [X] out of things when I'm done)

2) The settings shown there are phpBB-specific and not PHP-specific; PHP has its own types of control over sessions as well (specifically the GC cleaning up old files, etc.). So these two things require a somewhat "balanced" series of settings that match up well and don't conflict with one another.

Anyway, this caused me to find this post:

https://www.phpbb.com/community/viewtopic.php?t=2015965

Where someone states up front that the "session IP validator" basically looks at the network block you're part of, and requires a session to be valid only if the client IP connecting is within the same /24 (this would be a security measure). So, if your ISP is doing something like NAT'ing your outbound connections to the forum (usually done at workplaces for lots of reasons, but also for load balancing), and the connecting client IP could therefore flip in real-time from 1.2.3.4 to 1.2.9.16 (for example) then I can see this causing a person who was active on the forum to suddenly log out. Remember, this is not your "workstation IP address", this is actually what gets seen IP-address-wise on the nesdev server.

The settings we use permit the last octet to float/change (i.e. the A.B.C method), as indicated in the 03.jpg screenshot. I am happy to try changing this to something else ("None" possibly), but I would much rather not if the root cause can be determined.

But as you can see, there are other security measures phpBB has in place (and some I have blacked out in the screenshot because we do know spammers/etc. show up here and this is not the Moderators board so these posts/this information is public) to also "verify" that the client connecting is who it says it is -- specifically "validating the browser" (probably comparing User-Agent strings), handling situations where the browser (HTTP client) includes the X-Forwarded-For header (this is often use by caching proxies, so if you're at a workplace that uses an HTTP proxy server then this header might be included and your web browser wouldn't be sending it, the proxy server would -- the only way for us to see this would be to use tcpdump on the server, which I cannot do) and also referer validation.

Basically my point here is that there's lots of "stuff" that could cause this to go awry for someone, and troubleshooting it requires familiarity with all the aforementioned things, plus requires that the troubleshooting be done in real-time. For example I cannot go back and look at site (Apache) access logs to track down thefox -- username/etc. is not stored anywhere in the logs, so all I could go off of is IP address, but as I said above if the IP address is shifting around a lot then my greps/etc. are going to be wrong/incorrect (the site gets hit a *lot*).

The best I can do is try to get exact timestamps from you (please include timezone, or if you can just give me UTC timestamps that would make my job much much easier (server log timestamps are in UTC)) when you see the issue start, along with the exact time you had to re-log-in, and I try to figure out if it's the session IP validator that's causing it. I've already grepped through logs and there just isn't enough information to key off of there (no way to correlate an access to a username).

Welcome to The Internet(tm) and Web Crap of today, and what we SAs have to deal with all the time.

Attachments:
03.jpg
03.jpg [ 232.88 KiB | Viewed 8702 times ]
02.jpg
02.jpg [ 199.71 KiB | Viewed 8702 times ]
01.jpg
01.jpg [ 223.9 KiB | Viewed 8702 times ]

Author:  thefox [ Tue Sep 03, 2013 3:41 am ]
Post subject:  Re: Forum keeps logging me out

koitsu wrote:
Where someone states up front that the "session IP validator" basically looks at the network block you're part of, and requires a session to be valid only if the client IP connecting is within the same /24 (this would be a security measure). So, if your ISP is doing something like NAT'ing your outbound connections to the forum (usually done at workplaces for lots of reasons, but also for load balancing), and the connecting client IP could therefore flip in real-time from 1.2.3.4 to 1.2.9.16 (for example) then I can see this causing a person who was active on the forum to suddenly log out. Remember, this is not your "workstation IP address", this is actually what gets seen IP-address-wise on the nesdev server.

The settings we use permit the last octet to float/change (i.e. the A.B.C method), as indicated in the 03.jpg screenshot. I am happy to try changing this to something else ("None" possibly), but I would much rather not if the root cause can be determined.

I'm 99% certain this is not the cause of it because I have a static IP address.

I'm going to try Firefox for a couple of days to see if the same problems occur with it too.

Author:  thefox [ Wed Sep 04, 2013 8:53 am ]
Post subject:  Re: Forum keeps logging me out

The problem doesn't occur on Firefox. So probably a recent update of Chrome changed something that causes phpBB to invalidate the session (maybe the User-Agent changes ever so slightly (that would be strange, though), or something...)

Author:  3gengames [ Wed Sep 04, 2013 5:46 pm ]
Post subject:  Re: Forum keeps logging me out

Chrome, up to date on multiple PC's and OS's, no problems.

Author:  tokumaru [ Sat Sep 07, 2013 8:18 pm ]
Post subject:  Re: Forum keeps logging me out

A few days ago I said I wasn't experiencing this problem... well, I am now. I get logged out almost every day. Chrome has updated itself recently, so I suspect that there's something up with that, like thefox suggested.

Author:  thefox [ Sat Sep 21, 2013 1:12 am ]
Post subject:  Re: Forum keeps logging me out

I want to add that this is not the only phpBB forum that is logging me out frequently now when using Chrome.

Page 1 of 2 All times are UTC - 7 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/